nanog mailing list archives
Re: BGP conf
From: Jeff Wheeler <jsw () inconcepts biz>
Date: Wed, 2 Nov 2011 22:19:11 -0400
On Wed, Nov 2, 2011 at 10:04 PM, Jack Bates <jbates () brightok net> wrote:
Have to read the current cymru bgp templates? ! manner. Why not consider peering with our globally distributed bogon ! route-server project? Alternately you can obtain a current and well
I'm not telling you something you don't already know, but for the novices who regard this list as a source of expertise, I will explain in greater detail why this is a really dumb idea. If you took a list of bogons over eBGP from Cymru, you would get unused /8s and similar. What you don't get is a route that matches whatever silly thing someone on the DFZ accidentally leaked: a more-specific that will still cause you to route traffic to their leaked prefix out to the Internet (and presumably, to their network.) There is nothing good about this. It's just adding unnecessary complexity for no operational benefit. There is bad about it. It adds complexity and risk. What is that risk? If you decide that the Cymru "distributed bogon route-server" is for you, and simply rewrite next-hops received on that session to Null0, it is possible that Cymru could make an error, or otherwise introduce non-bogon routes into your network as if they were bogons, causing black-holes. This is obviously too much to risk for something that has no operational benefit. The Cymru guys do many positive things. One of the more questionable things they do, though, is operate a route-server with the intention of black-holing botnet C&C IPs on a very wide scale. This is certainly a positive thing to do, but it was not done in a transparent manner; and in fact didn't even have management approval at Cogent when they configured it on their network. There was no established channel to find out why your IP address appeared on this list or to get it removed. All it took for me to get the whole idea canned at Cogent was one inquiry to management, asking why engineers had quietly started using a clandestine blackhole list operated by a third-party and would not give any answers to a customer if one of their IPs appeared on that list. The IP address I inquired about was certainly not a botnet C&C node, and how it ended up on that list is a mystery. I'm not saying there was any malicious intent, but it was a mistake at least. Trusting that "bogon" black-hole list to do something you don't even need to do anyway is not smart. It's *especially* not smart for some novice who doesn't understand the implications of his decision. This is the danger of "cut & paste engineering." -- Jeff S Wheeler <jsw () inconcepts biz> Sr Network Operator / Innovative Network Concepts
Current thread:
- Re: BGP conf, (continued)
- Re: BGP conf Mark Gauvin (Nov 01)
- Re: BGP conf Edward avanti (Nov 01)
- Re: BGP conf Jeff Wheeler (Nov 01)
- Re: BGP conf McCall, Gabriel (Nov 01)
- RE: BGP conf Holmes,David A (Nov 02)
- Re: BGP conf Edward avanti (Nov 02)
- Re: BGP conf Jeff Wheeler (Nov 02)
- Re: BGP conf Jack Bates (Nov 02)
- Re: BGP conf Jeff Wheeler (Nov 02)
- Re: BGP conf Jack Bates (Nov 02)
- Re: BGP conf Jeff Wheeler (Nov 02)
- Re: BGP conf Jeff Kell (Nov 02)
- RE: BGP conf Holmes,David A (Nov 02)
- Re: BGP conf Mark Gauvin (Nov 01)
- RE: BGP conf Larry May (Nov 02)