nanog mailing list archives
RE: 69/8...this sucks
From: jlewis () lewis org
Date: Mon, 10 Mar 2003 22:18:51 -0500 (EST)
On Mon, 10 Mar 2003, Frank Scalzo wrote:
We don't need the adminstrative headache of ICANN/ARIN/RIRs on this. Someone could just do it with a private ASN and advertise the route with an arbitrarily null routed next-hop.
That's a non-solution that will never happen. How many networks are going to trust joe somebody to inject null routes into their backbone? Will UUNet/Sprint/C&W/Level3/etc. trust me or Rob to tell them what's a bogon and what's not? I really doubt it. They might have an easier time trusting their local RIR, but I wouldn't be surprised if they didn't. I realize this sort of thing worked early on with the RBL, but that was for a different purpose. For those who took the RBL via BGP, I suspect the benefit of blocking spammers from their networks outweighed the risk of RBL abuse and people trusted Vixie to be objective and honest.
That doesn't solve the problem of bad filters on firewalls.
Several people pointed that out earlier. Botched / outdated firewall configs may be a bigger problem than BGP filters. For a glimpse at why, see http://groups.google.com/groups?q=69.0.0.0%2F8&ie=UTF-8&oe=UTF-8&hl=en&btnG=Google+Search
The problem is lots of books/webpages/templates/etc. say filter bogons. People not smart enough to understand the responsibilities of doing so implement it and forget it. Instead of trying to beat up on the large
Worse is that there are pages and pages full of links to usenet posts with these outdated bogon filters. Books and web pages can be updated. The usenet archive isn't going away and won't be revised. People who don't know any better are going to continue to misconfigure bogon filters indefinitely unless something is done to periodically whack some sense into them.
Funny the media gets all excited about BGP security and dDos attacks against a root nameserver yet no one ever seems to mention the real scalability issues like that we can't allocate large parts of the net because many network operators aren't bright enough to update filters.
I know some writers watch nanog for potential stories. Wake up guys, this should be one...if not for the news value "ARIN gives out unusable IPs, future of the Net in question", then at least for the public service value of getting the word out that bogon filters need to be maintained and kept up to date or they do more harm than good. ---------------------------------------------------------------------- Jon Lewis *jlewis () lewis org*| I route System Administrator | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
Current thread:
- Re: scope of the 69/8 problem, (continued)
- Re: scope of the 69/8 problem Stephen Sprunk (Mar 11)
- Re: scope of the 69/8 problem jlewis (Mar 11)
- Re: scope of the 69/8 problem bdragon (Mar 19)
- Re: 69/8...this sucks Brandon Butterworth (Mar 10)
- Re: 69/8...this sucks Joel Jaeggli (Mar 10)
- Re: 69/8...this sucks Owen DeLong (Mar 10)
- Re: 69/8...this sucks Hank Nussbacher (Mar 11)
- Re: 69/8...this sucks Stephen J. Wilcox (Mar 11)
- Re: 69/8...this sucks Owen DeLong (Mar 11)
- Re: 69/8...this sucks Joel Jaeggli (Mar 10)
- RE: 69/8...this sucks jlewis (Mar 10)
- Re: 69/8...this sucks Jack Bates (Mar 10)
- RE: 69/8...this sucks Haesu (Mar 10)
- Re: 69/8...this sucks Joe Boyce (Mar 11)
- Re: 69/8...this sucks Owen DeLong (Mar 11)
- Re: 69/8...this sucks Richard A Steenbergen (Mar 11)
- Re: 69/8...this sucks Andy Dills (Mar 11)
- Re: 69/8...this sucks Randy Bush (Mar 11)
- Re: 69/8...this sucks Alec H. Peterson (Mar 11)
- Re: 69/8...this sucks william (Mar 11)
- Re: 69/8...this sucks Valdis . Kletnieks (Mar 12)