seems to me this is the wrong question... a default security
"posture" (network or system, isp or enterprise or any type of
entity) should be: "if it's not explicitly allowed, it's denied."
apologies, i see the original poster was talking about a *backbone*... my mind was on campus/edge/customer networks. this policy, of course, does not apply to backbones (unless you want an avalanche of customer calls).
-b