On Tue, 9 Oct 2001, Grant A. Kirkwood wrote:
I'm currently in the process of setting up a new border router, and the recent debate on the above topic got me wondering what the best practice filtering policy is? Is there one?
I don't think so. If you want to filter to keep your routing table small, filtering out all /24s is the way to go. These are 60% of the routing table. Even in class A and B space 40% of the announcements is individual /24s. Most people that announce a /24 are also reachable over an aggregate so you wouldn't break too much connectivity. If you want to filter against bad aggregation, you should look at class A and B space and 192/8, there is a lot of that going on there, but usually on "valid" prefix lengths such as /20 in A and /16 in B. So if you want to filter those routes you'll have to do it on AS number, and you break connectivity. But you can refuse to peer with ASes that don't aggregate without having a good reason. (And if there is one for what's going on in 24/8, I'd like to know.)
And what do people put in place in terms of anti-spoofing ACLs and such? There's a wealth of information on these topics, but no real consensus.
Depends on your paranoia level. You should always refuse incoming packets with local source addresses. Outgoing packets with non-local source addresses are bad, and incoming ICMP redirects aren't good either. You should probably have filters that implement all of this at your border routers, disable source routing and directed broadcasts (on every interface of every router!) and route 10/8, 127/8, 172.16/12 and 192.168/16 to the null interface. That should be enough for most people. Others like to filter more aggressively, for instance all non-allocated address blocks and things like the official test network 192.0.2.0. Iljitsch van Beijnum