[c-nsp] UDP/0 ACL IOSXR issue?

[Bryan Holloway]

Anyone aware of any issues with filtering destination UDP/0 at ingress 
points on IOS XR?

We're running 5.3.4 SP8 and have telemetries to help us RTBH when the 
need arises.

UDP/0 is a well-known vector for this sort of attack. However, what I'm 
seeing is that packets seem to be getting past our ACLs even though we 
are explicitly denying them.

"hardware counters" seem to corroborate that we're getting matches.

... and yet we're still seeing the traffic beyond the ingress.

Curious if anyone else has seen this.

Our egress-facing interface is a BE, if it matters ...