nanog mailing list archives
Re: BGP hijack from 23724 -> 4134 China?
From: Danny McPherson <danny () tcb net>
Date: Thu, 8 Apr 2010 22:05:23 -0600
On Apr 8, 2010, at 8:35 PM, Brielle Bruns wrote:
More harm then good is a matter of opinion. Denying all of mainland China reduces the amount of attacks on my network. If you consider that masking security problems rather then fixing them, then *shrugs*. Its just one of many layers. It also allows me to make and enforce the statement that I will not tolerate the bullshit China pulls.
FWIW, I get it - folks are surely going to implement local security policies that are first aligned with corporate [and national] security objectives. My concern is that if people think bogon filters break stuff, just wait until a couple thousand networks start selectively filtering countries based on some notion of geoIP mappings (e.g., CN today, KP and IR tomorrow, etc..), when in many cases prefixes span lots of national boundaries (as do many ASNs) - the Internet will continue to fragment and brokenness will result. As an example of how such network filtering policies might well become an operational problem consider a client using Online Certificate Status Protocol (OCSP) with X.509 digital certificates before setting up a secure connection to a web server somewhere in Asia (the server itself may well NOT be inside of China). The client, wanting to inquire as to the state (revocation status) of a particular certificate generated by that CNNIC CA embedded in their Firefox client, reaches out to an OCSP server that's authoritative for the cert - in this case CNNIC. Unfortunately, CNNIC, which primarily resides within 218.241.0.0/16, isn't reachable because of this entry in your ACL: access-list 199 deny ip 218.240.0.0 0.7.255.255 any Now, whether you or any of the users on your network choose to leave that CNNIC CA (or others) enabled in your client is a separate issue, but default drop policies such as you're recommending can certainly result in some collateral damage that can be very tedious to debug, and possibly even broaden attack surfaces themselves. I'm not particularly a fan of bogon filters for reasons outlined here and elsewhere many times before - and bogon addresses theoretically don't have live clients and servers folks might be legitimately be transacting with. -danny
Current thread:
- Re: BGP hijack from 23724 -> 4134 China?, (continued)
- Re: BGP hijack from 23724 -> 4134 China? Raymond Dijkxhoorn (Apr 08)
- Re: BGP hijack from 23724 -> 4134 China? Brielle Bruns (Apr 08)
- Re: BGP hijack from 23724 -> 4134 China? Jay Hennigan (Apr 08)
- Re: BGP hijack from 23724 -> 4134 China? Beavis (Apr 08)
- Re: BGP hijack from 23724 -> 4134 China? Brielle Bruns (Apr 08)
- Re: BGP hijack from 23724 -> 4134 China? Will Clayton (Apr 08)
- RE: BGP hijack from 23724 -> 4134 China? Aaron Wendel (Apr 08)
- Re: BGP hijack from 23724 -> 4134 China? Brielle Bruns (Apr 08)
- Re: BGP hijack from 23724 -> 4134 China? Danny McPherson (Apr 08)
- Re: BGP hijack from 23724 -> 4134 China? Brielle Bruns (Apr 08)
- Re: BGP hijack from 23724 -> 4134 China? Danny McPherson (Apr 08)
- Re: BGP hijack from 23724 -> 4134 China? James Hess (Apr 08)
- Re: BGP hijack from 23724 -> 4134 China? goemon (Apr 08)
- RE: BGP hijack from 23724 -> 4134 China? George Bonser (Apr 09)
- RE: BGP hijack from 23724 -> 4134 China? goemon (Apr 09)
- Re: BGP hijack from 23724 -> 4134 China? Larry Smith (Apr 08)
- Re: BGP hijack from 23724 -> 4134 China? Michael Holstein (Apr 09)
- Re: BGP hijack from 23724 -> 4134 China? Benjamin BILLON (Apr 09)
- Re: BGP hijack from 23724 -> 4134 China? Jeroen van Aart (Apr 09)
- Re: BGP hijack from 23724 -> 4134 China? Benjamin Billon (Apr 09)
- Re: BGP hijack from 23724 -> 4134 China? Jeroen van Aart (Apr 09)