[c-nsp] IP Options Drop
Saku Ytti
saku at ytti.fi
Mon Apr 21 12:53:29 EDT 2014
On (2014-04-21 16:36 +0000), Dobbins, Roland wrote:
> iACLs should be applied at all edges of the network, including customer aggregation edges, IDC distribution edges, et. al.
Yes. But often can't as network isn't homogeneous and can't support same set
of features throughout, peering edge often is small enough to justify extra
investments.
Luckily, as long as you can implement BCP38 in customer-edge you're reasonably
safe, as you can identify offending customers and legally take action, such as
such as shutdown the port. Which you can't easily do for peering-edge attacks.
--
++ytti
More information about the cisco-nsp
mailing list