nanog mailing list archives
Re: Bogon filtering (don't ban me)
From: Iljitsch van Beijnum <iljitsch () muada com>
Date: Sun, 5 Dec 2004 23:17:12 +0100
On 5-dec-04, at 22:06, Cliff Albert wrote:
So filtering at the /8 level as in the document linked above isn't really going to buy you much in practice.
/8 le /32 still stands for /8 and more-specifics as I remember ? :)
You don't say... What will they come up with next??My point is that if there is even a small part of a /8 in use, then the /8 isn't in the bogon list. For instance, 191.0.0.0/8 isn't there, although AFAIK this space isn't used, it's just that 191.255.0.0/16 is "reserved".
Secondly not everything is about security but also about keeping routingtables clean and useful, as more people noticed today.
If only we could...
Filtering bogons away is just an extra step in making sure that you transport real traffic instead of bogus traffic of which you are 100%sure that it's *useless* traffic. uRPF will fix it for your own network,
Right. So there is no need to use bogon lists.
but filtering bogon routes away in BGP will also make your downstream a happier place.
You are assuming that there are significant bogon routes in the routing table. I'm sure there is bad stuff in the global routing table from time to time that Rob's bogon list will catch, but I seriously doubt it's very much. Injecting bogon routes so you can get past uRPF doesn't make sense (except maybe for the first hop AS) and for any other (ab)use such as spamming selecting something that isn't as obvious is much more useful.
(In any case, ISPs accepting bogon routes from their customers is completely unacceptable. Filtering routes from peers isn't always feasible, and even lack of source address filtering on ingress from customers can be excusable at times, but filtering BGP advertisements from customers is every ISP's sacred duty.)
The only argument from you I have seen against bogon filtering is the fact that the lists aren't updated by certain parties.
I've never felt that it's useful. So one argument against is more than sufficient.
However, allow me to contradict myself by taking the position that it's better for us network operators to do bogon filtering so our customers don't have to, rather than have any fool with an ipfw or similar shoot himself in the foot. The preferred way to do this would be uRPF.
Current thread:
- Re: Bogon filtering (don't ban me), (continued)
- Re: Bogon filtering (don't ban me) Joe Abley (Dec 05)
- Re: Bogon filtering (don't ban me) Joe Maimon (Dec 05)
- Re: Bogon filtering (don't ban me) william(at)elan.net (Dec 05)
- Re: Bogon filtering (don't ban me) Iljitsch van Beijnum (Dec 05)
- Re: Bogon filtering (don't ban me) Rob Thomas (Dec 05)
- Re: Bogon filtering (don't ban me) Jørgen Hovland (Dec 05)
- Re: Bogon filtering (don't ban me) Mikael Abrahamsson (Dec 05)
- Re: Bogon filtering (don't ban me) Patrick W Gilmore (Dec 05)
- Re: Bogon filtering (don't ban me) Iljitsch van Beijnum (Dec 05)
- Re: Bogon filtering (don't ban me) Cliff Albert (Dec 05)
- Re: Bogon filtering (don't ban me) Iljitsch van Beijnum (Dec 05)
- Re: Bogon filtering (don't ban me) Sean Donelan (Dec 05)
- Re: Bogon filtering (don't ban me) Rob Thomas (Dec 05)
- Re: Bogon filtering (don't ban me) Michael . Dillon (Dec 06)
- Re: Bogon filtering (don't ban me) Patrick W Gilmore (Dec 06)
- Re: Bogon filtering (don't ban me) Rob Thomas (Dec 05)
- Re: Bogon filtering (don't ban me) Cliff Albert (Dec 05)
- Re: Bogon filtering (don't ban me) James (Dec 05)
- Re: Bogon filtering (don't ban me) Suresh Ramasubramanian (Dec 05)
- Re: Bogon filtering (don't ban me) Paul Vixie (Dec 05)