Xjyuk

Multi tool use

Website returning plaintext password

Can a British citizen living in France vote in both France and Britain in the European Elections?

Count rotary dial pulses in a phone number (including letters)

Ethical issue - how can I better document what is happening?

Sankey diagram: not getting the hang of it

Why were helmets and other body armour not commonplace in the 1800s?

Parallel fifths in the orchestra

Where's this lookout in Nova Scotia?

What is the difference between singing and speaking?

Question in discrete mathematics about group permutations

Remove CiviCRM and Drupal links / banner on profile form

Why do Russians almost not use verbs of possession akin to "have"?

Is "cool" appropriate or offensive to use in IMs?

How to ignore kerning of underbrace in math mode

Best material to absorb as much light as possible

Can the product of any two aperiodic functions which are defined on the entire number line be periodic?

I know that there is a preselected candidate for a position to be filled at my department. What should I do?

What is a fully qualified name?

Why does Mjolnir fall down in Age of Ultron but not in Endgame?

How should I introduce map drawing to my players?

Did this character show any indication of wanting to rule before S8E6?

Efficient Algorithm for the boundary of a set of tiles

Is it legal to meet with potential future employers in the UK, whilst visiting from the USA

Popcorn is the only acceptable snack to consume while watching a movie

Ingress filtering on edge routers and performance concerns

Understanding ARP and RoutersLearning switches and routersAccess list policy with odd and even filteringCommunication between BGP and OSPF routersCisco routers THROUGHPUT - MTU and packet sizeWhat are the significance of different types of routers?Routers and RIP violation of isolation?Some users/routers often can't access the internetWhether the network between Routers are circuit-switched network, and the network connected by Switches are packet-switched network?What's the meaning of “3D Universal Edge Routers”?

2

The RFC 4778 cover the Operational Security Practices in ISPs Environments back on 2007.

Among the best practices, a common one is Ingress Filtering on edge routers. In the above RFC, the author says the following:

Lack of consistency regarding the ability to filter, especially with
respect to performance issues, cause some ISPs not to implement BCP38
and BCP84 guidelines for ingress filtering. One such example is at
edge boxes, where up to 1000 T1s connecting into a router with an
OC-12 (Optical Carrier) uplink. Some deployed devices experience a
large performance impact with filtering, which is unacceptable for
passing customer traffic through, though ingress filtering (uRPF)
might be applicable at the devices that are connecting these
aggregation routers. Where performance is not an issue, the ISPs
make a tradeoff between management versus risk.

Is the impact on performance nowadays a concern among network operators to not deploy ingress filtering on their networks? Is there anything else to worry about? Can you provide some kind of evidence to support your argument?

Thank you all for the answers.

router network

share|improve this question

edited 1 hour ago

Digos

asked 8 hours ago

DigosDigos

133

New contributor

Digos is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

add a comment | 

2

The RFC 4778 cover the Operational Security Practices in ISPs Environments back on 2007.

Among the best practices, a common one is Ingress Filtering on edge routers. In the above RFC, the author says the following:

Lack of consistency regarding the ability to filter, especially with
respect to performance issues, cause some ISPs not to implement BCP38
and BCP84 guidelines for ingress filtering. One such example is at
edge boxes, where up to 1000 T1s connecting into a router with an
OC-12 (Optical Carrier) uplink. Some deployed devices experience a
large performance impact with filtering, which is unacceptable for
passing customer traffic through, though ingress filtering (uRPF)
might be applicable at the devices that are connecting these
aggregation routers. Where performance is not an issue, the ISPs
make a tradeoff between management versus risk.

Is the impact on performance nowadays a concern among network operators to not deploy ingress filtering on their networks? Is there anything else to worry about? Can you provide some kind of evidence to support your argument?

Thank you all for the answers.

router network

share|improve this question

edited 1 hour ago

Digos

asked 8 hours ago

DigosDigos

133

New contributor

Digos is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

add a comment | 

The RFC 4778 cover the Operational Security Practices in ISPs Environments back on 2007.

Among the best practices, a common one is Ingress Filtering on edge routers. In the above RFC, the author says the following:

Lack of consistency regarding the ability to filter, especially with
respect to performance issues, cause some ISPs not to implement BCP38
and BCP84 guidelines for ingress filtering. One such example is at
edge boxes, where up to 1000 T1s connecting into a router with an
OC-12 (Optical Carrier) uplink. Some deployed devices experience a
large performance impact with filtering, which is unacceptable for
passing customer traffic through, though ingress filtering (uRPF)
might be applicable at the devices that are connecting these
aggregation routers. Where performance is not an issue, the ISPs
make a tradeoff between management versus risk.

Is the impact on performance nowadays a concern among network operators to not deploy ingress filtering on their networks? Is there anything else to worry about? Can you provide some kind of evidence to support your argument?

Thank you all for the answers.

router network

share|improve this question

edited 1 hour ago

Digos

asked 8 hours ago

DigosDigos

133

New contributor

Digos is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

share|improve this question

edited 1 hour ago

Digos

asked 8 hours ago

DigosDigos

133

New contributor

Digos is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

share|improve this question

edited 1 hour ago

Digos

asked 8 hours ago

DigosDigos

133

New contributor

Digos is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

asked 8 hours ago

DigosDigos

133

New contributor

Digos is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

asked 8 hours ago

DigosDigos

133

1 Answer
1

active

oldest

votes

4

A lot depends on the particular router model. Most newer, high performance routers can filter in hardware - meaning they can filter at line rate. So there's no performance impact. But a lot of ISPs (and other places too) use older equipment (even from 2007) because "why change if it works?"

For management risk, every ISP decides, consciously or unconsciously, how much risk is involved in maintaining those access lists -- how often they need to change, how they test, what is the impact of making a mistake, etc.

share|improve this answer

answered 8 hours ago

Ron TrunkRon Trunk

42.2k33987

add a comment | 

Your Answer

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "496"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);

Digos is a new contributor. Be nice, and check out our Code of Conduct.

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fnetworkengineering.stackexchange.com%2fquestions%2f59360%2fingress-filtering-on-edge-routers-and-performance-concerns%23new-answer', 'question_page');

);

Post as a guest

Name

Email

Required, but never shown

4

A lot depends on the particular router model. Most newer, high performance routers can filter in hardware - meaning they can filter at line rate. So there's no performance impact. But a lot of ISPs (and other places too) use older equipment (even from 2007) because "why change if it works?"

For management risk, every ISP decides, consciously or unconsciously, how much risk is involved in maintaining those access lists -- how often they need to change, how they test, what is the impact of making a mistake, etc.

share|improve this answer

answered 8 hours ago

Ron TrunkRon Trunk

42.2k33987

add a comment | 

4

A lot depends on the particular router model. Most newer, high performance routers can filter in hardware - meaning they can filter at line rate. So there's no performance impact. But a lot of ISPs (and other places too) use older equipment (even from 2007) because "why change if it works?"

For management risk, every ISP decides, consciously or unconsciously, how much risk is involved in maintaining those access lists -- how often they need to change, how they test, what is the impact of making a mistake, etc.

share|improve this answer

answered 8 hours ago

Ron TrunkRon Trunk

42.2k33987

add a comment | 

A lot depends on the particular router model. Most newer, high performance routers can filter in hardware - meaning they can filter at line rate. So there's no performance impact. But a lot of ISPs (and other places too) use older equipment (even from 2007) because "why change if it works?"

For management risk, every ISP decides, consciously or unconsciously, how much risk is involved in maintaining those access lists -- how often they need to change, how they test, what is the impact of making a mistake, etc.

share|improve this answer

answered 8 hours ago

Ron TrunkRon Trunk

42.2k33987

share|improve this answer

answered 8 hours ago

Ron TrunkRon Trunk

42.2k33987

answered 8 hours ago

Ron TrunkRon Trunk

42.2k33987

answered 8 hours ago

Ron TrunkRon Trunk

42.2k33987