This is about ingress ACL not egress. tor. 15. okt. 2020 12.00 skrev <adamv0...@netconsultings.com>:
> Simple, > > All stub autonomous systems should have a simple egress ACL allowing only > PI of their customers and their own PAs -it’s a simple ACL at each AS-Exit > points (towards transits/peers), that’s it. > > -not sure why this isn’t the first sentence in every BCP and “security > bulletin”… > > > > > > adam > > > > *From:* NANOG <nanog-bounces+adamv0025=netconsultings....@nanog.org> *On > Behalf Of *Baldur Norddahl > *Sent:* Thursday, October 15, 2020 8:38 AM > *To:* nanog@nanog.org > *Subject:* Re: Ingress filtering on transits, peers, and IX ports > > > > All DNS resolvers discovered on our network belong to customers. Our own > resolvers, running unbound, were not discovered. > > > > While filtering same AS on ingress could help those customers (but only > one was a open relay), filtering bogons is something the customer can also > do. Or the software can be fixed. Do we really expect the ISP to implement > firewalls instead of customers upgrading software? > > > > I also note that apparently our own ISPs (transits) do not filter bogons > either. > > > > The above is a principal question. I am going to filter bogons, it just is > not very high on my long list of stuff to do. > > > > Regards > > > > Baldur > > > > > > ons. 14. okt. 2020 20.53 skrev Casey Deccio <ca...@deccio.net>: > > Hi Bryan, > > > On Oct 14, 2020, at 12:43 PM, Bryan Holloway <br...@shout.net> wrote: > > > > I too would like to know more about their methodology > > We've written up our methodology and results in a paper that will be > available in a few weeks. Happy to post it here if folks are interested. > Obviously, no networks are individually identified; it's all aggregate. > > Also, we're working on a self-test tool, but it's not quite ready yet. > Sorry. > > > and actual tangibles ideally in the form of PCAPs. > > What do you mean by "tangibles in the form of PCAPs"? > > Casey > >
