Ingress filtering on edge routers and performance concernsUnderstanding ARP and RoutersLearning switches and routersAccess list policy with odd and even filteringCommunication between BGP and OSPF routersCisco routers THROUGHPUT - MTU and packet sizeWhat are the significance of different types of routers?Routers and RIP violation of isolation?Some users/routers often can't access the internetWhether the network between Routers are circuit-switched network, and the network connected by Switches are packet-switched network?What's the meaning of “3D Universal Edge Routers”?
Can a British citizen living in France vote in both France and Britain in the European Elections?
Apt - strange requests to d16r8ew072anqo.cloudfront.net:80
Is the Indo-European language family made up?
Why did the person in charge of a principality not just declare themself king?
Why aren't space telescopes put in GEO?
Construct a word ladder
Question in discrete mathematics about group permutations
Why didn't Thanos use the Time Stone to stop the Avengers' plan?
Can the product of any two aperiodic functions which are defined on the entire number line be periodic?
Website returning plaintext password
Need to read my home electrical meter
Could a 19.25mm revolver actually exist?
Do photons bend spacetime or not?
Did this character show any indication of wanting to rule before S8E6?
Can a person survive on blood in place of water?
Can I tell a prospective employee that everyone in the team is leaving?
Is there an online tool which supports shared writing?
Sankey diagram: not getting the hang of it
Is the Unsullied name meant to be ironic? How did it come to be?
Why would Ryanair allow me to book this journey through a third party, but not through their own website?
What does $!# mean in Shell scripting?
A steel cutting sword?
How did NASA Langley end up with the first 737?
Count rotary dial pulses in a phone number (including letters)
Ingress filtering on edge routers and performance concerns
Understanding ARP and RoutersLearning switches and routersAccess list policy with odd and even filteringCommunication between BGP and OSPF routersCisco routers THROUGHPUT - MTU and packet sizeWhat are the significance of different types of routers?Routers and RIP violation of isolation?Some users/routers often can't access the internetWhether the network between Routers are circuit-switched network, and the network connected by Switches are packet-switched network?What's the meaning of “3D Universal Edge Routers”?
The RFC 4778 cover the Operational Security Practices in ISPs Environments back on 2007.
Among the best practices, a common one is Ingress Filtering on edge routers. In the above RFC, the author says the following:
Lack of consistency regarding the ability to filter, especially with
respect to performance issues, cause some ISPs not to implement BCP38
and BCP84 guidelines for ingress filtering. One such example is at
edge boxes, where up to 1000 T1s connecting into a router with an
OC-12 (Optical Carrier) uplink. Some deployed devices experience a
large performance impact with filtering, which is unacceptable for
passing customer traffic through, though ingress filtering (uRPF)
might be applicable at the devices that are connecting these
aggregation routers. Where performance is not an issue, the ISPs
make a tradeoff between management versus risk.
Is the impact on performance nowadays a concern among network operators to not deploy ingress filtering on their networks? Is there anything else to worry about? Can you provide some kind of evidence to support your argument?
Thank you all for the answers.
router network
asked 9 hours ago
DigosDigos
133
New contributor
Digos is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
The RFC 4778 cover the Operational Security Practices in ISPs Environments back on 2007.
Among the best practices, a common one is Ingress Filtering on edge routers. In the above RFC, the author says the following:
Lack of consistency regarding the ability to filter, especially with
respect to performance issues, cause some ISPs not to implement BCP38
and BCP84 guidelines for ingress filtering. One such example is at
edge boxes, where up to 1000 T1s connecting into a router with an
OC-12 (Optical Carrier) uplink. Some deployed devices experience a
large performance impact with filtering, which is unacceptable for
passing customer traffic through, though ingress filtering (uRPF)
might be applicable at the devices that are connecting these
aggregation routers. Where performance is not an issue, the ISPs
make a tradeoff between management versus risk.
Is the impact on performance nowadays a concern among network operators to not deploy ingress filtering on their networks? Is there anything else to worry about? Can you provide some kind of evidence to support your argument?
Thank you all for the answers.
router network
asked 9 hours ago
DigosDigos
133
New contributor
Digos is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
The RFC 4778 cover the Operational Security Practices in ISPs Environments back on 2007.
Among the best practices, a common one is Ingress Filtering on edge routers. In the above RFC, the author says the following:
Lack of consistency regarding the ability to filter, especially with
respect to performance issues, cause some ISPs not to implement BCP38
and BCP84 guidelines for ingress filtering. One such example is at
edge boxes, where up to 1000 T1s connecting into a router with an
OC-12 (Optical Carrier) uplink. Some deployed devices experience a
large performance impact with filtering, which is unacceptable for
passing customer traffic through, though ingress filtering (uRPF)
might be applicable at the devices that are connecting these
aggregation routers. Where performance is not an issue, the ISPs
make a tradeoff between management versus risk.
Is the impact on performance nowadays a concern among network operators to not deploy ingress filtering on their networks? Is there anything else to worry about? Can you provide some kind of evidence to support your argument?
Thank you all for the answers.
router network
asked 9 hours ago
DigosDigos
133
New contributor
Digos is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
The RFC 4778 cover the Operational Security Practices in ISPs Environments back on 2007.
Among the best practices, a common one is Ingress Filtering on edge routers. In the above RFC, the author says the following:
Lack of consistency regarding the ability to filter, especially with
respect to performance issues, cause some ISPs not to implement BCP38
and BCP84 guidelines for ingress filtering. One such example is at
edge boxes, where up to 1000 T1s connecting into a router with an
OC-12 (Optical Carrier) uplink. Some deployed devices experience a
large performance impact with filtering, which is unacceptable for
passing customer traffic through, though ingress filtering (uRPF)
might be applicable at the devices that are connecting these
aggregation routers. Where performance is not an issue, the ISPs
make a tradeoff between management versus risk.
Is the impact on performance nowadays a concern among network operators to not deploy ingress filtering on their networks? Is there anything else to worry about? Can you provide some kind of evidence to support your argument?
Thank you all for the answers.
router network
router network
asked 9 hours ago
DigosDigos
133
New contributor
Digos is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked 9 hours ago
DigosDigos
133
New contributor
Digos is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
edited 1 hour ago
Digos
asked 9 hours ago
DigosDigos
133
New contributor
Digos is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked 9 hours ago
DigosDigos
133
asked 9 hours ago
DigosDigos
133
133
New contributor
Digos is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
Digos is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
A lot depends on the particular router model. Most newer, high performance routers can filter in hardware - meaning they can filter at line rate. So there's no performance impact. But a lot of ISPs (and other places too) use older equipment (even from 2007) because "why change if it works?"
For management risk, every ISP decides, consciously or unconsciously, how much risk is involved in maintaining those access lists -- how often they need to change, how they test, what is the impact of making a mistake, etc.
answered 8 hours ago
Ron TrunkRon Trunk
42.2k33987
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "496"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Digos is a new contributor. Be nice, and check out our Code of Conduct.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fnetworkengineering.stackexchange.com%2fquestions%2f59360%2fingress-filtering-on-edge-routers-and-performance-concerns%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
A lot depends on the particular router model. Most newer, high performance routers can filter in hardware - meaning they can filter at line rate. So there's no performance impact. But a lot of ISPs (and other places too) use older equipment (even from 2007) because "why change if it works?"
For management risk, every ISP decides, consciously or unconsciously, how much risk is involved in maintaining those access lists -- how often they need to change, how they test, what is the impact of making a mistake, etc.
answered 8 hours ago
Ron TrunkRon Trunk
42.2k33987
add a comment |
A lot depends on the particular router model. Most newer, high performance routers can filter in hardware - meaning they can filter at line rate. So there's no performance impact. But a lot of ISPs (and other places too) use older equipment (even from 2007) because "why change if it works?"
For management risk, every ISP decides, consciously or unconsciously, how much risk is involved in maintaining those access lists -- how often they need to change, how they test, what is the impact of making a mistake, etc.
answered 8 hours ago
Ron TrunkRon Trunk
42.2k33987
add a comment |
A lot depends on the particular router model. Most newer, high performance routers can filter in hardware - meaning they can filter at line rate. So there's no performance impact. But a lot of ISPs (and other places too) use older equipment (even from 2007) because "why change if it works?"
For management risk, every ISP decides, consciously or unconsciously, how much risk is involved in maintaining those access lists -- how often they need to change, how they test, what is the impact of making a mistake, etc.
answered 8 hours ago
Ron TrunkRon Trunk
42.2k33987
A lot depends on the particular router model. Most newer, high performance routers can filter in hardware - meaning they can filter at line rate. So there's no performance impact. But a lot of ISPs (and other places too) use older equipment (even from 2007) because "why change if it works?"
For management risk, every ISP decides, consciously or unconsciously, how much risk is involved in maintaining those access lists -- how often they need to change, how they test, what is the impact of making a mistake, etc.
answered 8 hours ago
Ron TrunkRon Trunk
42.2k33987
answered 8 hours ago
Ron TrunkRon Trunk
42.2k33987
answered 8 hours ago
Ron TrunkRon Trunk
42.2k33987
answered 8 hours ago
Ron TrunkRon Trunk
42.2k33987
42.2k33987
add a comment |
add a comment |
Digos is a new contributor. Be nice, and check out our Code of Conduct.
Digos is a new contributor. Be nice, and check out our Code of Conduct.
Digos is a new contributor. Be nice, and check out our Code of Conduct.
Digos is a new contributor. Be nice, and check out our Code of Conduct.
Thanks for contributing an answer to Network Engineering Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fnetworkengineering.stackexchange.com%2fquestions%2f59360%2fingress-filtering-on-edge-routers-and-performance-concerns%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
