apologies, i see the original poster was talking about a
*backbone*... my mind was on campus/edge/customer networks. this
policy, of course, does not apply to backbones (unless you want an
avalanche of customer calls).
seems to me this is the wrong question... a default security
"posture" (network or system, isp or enterprise or any type of
entity) should be: "if it's not explicitly allowed, it's denied."