Re: [OPSEC] ACLs on SP edge nodes

Joel Jaeggli <> Thu, 28 May 2020 17:47 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 349F13A0AAF; Thu, 28 May 2020 10:47:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.895
X-Spam-Status: No, score=-1.895 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id cw8ZJa-7vfNL; Thu, 28 May 2020 10:47:36 -0700 (PDT)
Received: from ( [IPv6:2001:418:1::81]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id BC35E3A0AAE; Thu, 28 May 2020 10:47:36 -0700 (PDT)
Received: from [IPv6:2601:1c0:cb00:da11:c40b:c23b:c67e:4609] ([IPv6:2601:1c0:cb00:da11:c40b:c23b:c67e:4609]) (authenticated bits=0) by (8.15.2/8.15.2) with ESMTPSA id 04SHlZ9h001578; Thu, 28 May 2020 17:47:36 GMT (envelope-from
Content-Type: multipart/alternative; boundary=Apple-Mail-F6D93324-9D25-4A5C-ACAC-C0383635DEEF
Content-Transfer-Encoding: 7bit
From: Joel Jaeggli <>
Mime-Version: 1.0 (1.0)
Date: Thu, 28 May 2020 10:47:34 -0700
Message-Id: <>
References: <>
Cc: OPSEC <>, John Scudder <>
In-Reply-To: <>
To: Ron Bonica <>
X-Mailer: iPhone Mail (17E262)
Archived-At: <>
Subject: Re: [OPSEC] ACLs on SP edge nodes
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: opsec wg mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 28 May 2020 17:47:38 -0000

Sent from my iPhone

> On May 27, 2020, at 14:21, Ron Bonica <> wrote:
> Folks,
> Does anybody know of a document that provides general recommendations for ACL’s to be implemented on service provider edge nodes?

I would suspect the to be substantial variation on what people consider acceptable to drop but a highly limited number of things that everyone would consider acceptable. By in large if you’re a transit provider your customers are paying for unmolested internet. 

Some folks have ntp rate limits baked into their input acls due to mon_getlist that would be good to unbake. At this point you could probably recomend policy that would prevent the legacy issues but it’s also likely to be controversial

Protection of infrastructure space is a substantial portion of Edge acls I’ve implemented. RFC 6192 policies writ large E.g. overlap with control plane acl   figure prominently there.

BCP 38 and 84 are things that notionally get applied to customer facing edges hopefully not strict when dealing with multi homed networks.

Martian filters again bcp 84 but also bcp 171 and RFC 5735  are things that appear in input acls. Sometimes these are implemented as null routes from bgp route reflectors or contributed protocols rather than ACLs.

>                                                                                                             Ron
> Juniper Business Use Only
> _______________________________________________
> OPSEC mailing list