15 Oct
2020
15 Oct
'20
6:11 a.m.
Hey,
All stub autonomous systems should have a simple egress ACL allowing only PI of their customers and their own PAs -it’s a simple ACL at each AS-Exit points (towards transits/peers), that’s it.
-not sure why this isn’t the first sentence in every BCP and “security bulletin”…
I will venture a guess. 1) it's very specific scenario to be stubby and have downstream PI 2) it won't address customers spoofing each other arbitrarily and customer1 spoofing as customer2 on the internet, giving large chunk of the utility of spoofing even with protection in place How do you maintain that ACL? Why doesn't that same mechanism allow ingress ACL on the customer port? Your proposal looks low utility for work needed. -- ++ytti