On Tue, 27 Sep 2016, White, Andrew wrote:

This assumes the ISP manages the customer's CPE or home router, which is
often not the case. Adding such ACLs to the upstream device, operated by
the ISP, is not always easy or feasible.

 Which is why the manufacturer should deploy a default config which does
 this. Whatever the WAN IP, and by default, and in 90%+ configurations,
 there is a single WAN IP for CPE, ACLs are automatically managed to block
 all outbound packets that are NOT From: the WAN IP.

 And when DHCP or PPPoE gives a new IP, the rules are rewritten
 automatically by the CPE with updated rules.

 This won't fix the DDOS attach from IoT devices or IP Cameras or whatnot
 that don't attempt to hide their IP, but it would help with spoofing at
 the edge for the non-network saavy.

It would make sense for most ISPs to have egress filtering at the edge
(transit and peering points) to filter out packets that should not
originate from the ISP's ASN, although this does not prevent spoofing
between points in the ISP's network.

 Multi-tiered approaches are excellent. Start with the CPE, move to your
 aggs, then your big iron at the edges. Automate deployments and rule

Peter Beckman                                                  Internet Guy
beck...@angryox.com                                 http://www.angryox.com/

Reply via email to