On Tue, 27 Sep 2016, White, Andrew wrote:
This assumes the ISP manages the customer's CPE or home router, which is often not the case. Adding such ACLs to the upstream device, operated by the ISP, is not always easy or feasible.
Which is why the manufacturer should deploy a default config which does this. Whatever the WAN IP, and by default, and in 90%+ configurations, there is a single WAN IP for CPE, ACLs are automatically managed to block all outbound packets that are NOT From: the WAN IP. And when DHCP or PPPoE gives a new IP, the rules are rewritten automatically by the CPE with updated rules. This won't fix the DDOS attach from IoT devices or IP Cameras or whatnot that don't attempt to hide their IP, but it would help with spoofing at the edge for the non-network saavy.
It would make sense for most ISPs to have egress filtering at the edge (transit and peering points) to filter out packets that should not originate from the ISP's ASN, although this does not prevent spoofing between points in the ISP's network.
Multi-tiered approaches are excellent. Start with the CPE, move to your aggs, then your big iron at the edges. Automate deployments and rule generation. --------------------------------------------------------------------------- Peter Beckman Internet Guy beckman@angryox.com http://www.angryox.com/ ---------------------------------------------------------------------------