I do not think there is a "best practice." In fact, "Operational Entropy"(1) has a big factor with packet filtering ACLs on the interconnect side of an SP. So you are not going to find a lot of packet filtering on SP-SP links. There are links and presentations you can refer to help build a iACL (Infrastructure protecting ACL). Whitepaper on Infrastructure ACLs (iACLs) http://www.cisco.com/en/US/products/sw/iosswrel/ps1838/products_white_pa per0900aecd802b8f21.shtml (principles in this one can be converted to any packet filter) Team CYMRU's Secure Templates: http://www.cymru.com/Documents/secure-ios-template.html http://www.qorbit.net/documents/junos-template.pdf Next Gen Peering Architectures and Tools ftp://ftp-eng.cisco.com/cons/isp/security/CPN-Summit-2004/Paris-Sept-04/ File: SE12-NEXT-GENERATION-PEERING-AND-INTERCONNECTION-ARCHITECTURES-10120_08_ 2004_c1_SE12.pdf (1) Operational Entropy is the process of natural decay that starts the moment the policy gets applied. OPEX resources need to be allocated to insure the entropy does not lead to operational consequence (i.e. the decayed policy breaks things).

-----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Drew Weaver Sent: Monday, June 13, 2005 7:28 AM To: nanog@merit.edu Subject: Best practice ACLs for a internet facing border router?

I'm just curious if anyone has ever published a list of what is an agreed upon best practice list of ACLs for an internet facing border router. I'm talking about things like bogons, private Ip addresses, et cetera. If anyone is aware of anything like this I'd like to see it.

Thanks, -Drew