Re: border filtering questions

[Jeff Murphy <jcmurphy () BUFFALO EDU>]

On Feb 28, 2011, at 4:07 PM, Valdis Kletnieks wrote:

> On Mon, 28 Feb 2011 13:41:13 EST, Jeff Murphy said:
>
> > [  ]  We don't block traffic to/from known bad addresses/netblocks at our border.
>
> Define "known bad addresses/netblocks".  With the recent exhaustion of the IANA IPv4
> space, this basically equates to "RFC1918, class E, and similar bogons", unless you
> want to follow the Team Cymru feed of space not sub-allocated by an RIR yet.  If
> you have some *other* definition of "known bad" (including hijacked space, dead space,
> and so on), it probably should be specified...

REN-ISAC offers a feed, Cymru has lists, Cisco sells a feed, you may have your own internal list (eg derived from 
phishing urls you see), etc. I was intentionally vague. By bad I meant "an address you dont want to trade packets with 
across your border" but I should've excluded the examples you give in order to avoid the "well we do block, but only 
rfc 1918, et al" folks.

What I'm interested in is whether or not there's a trend towards automated intelligence based blocking. My sense is 
that there's interest in it, but that it hasn't really made it to the mainstream. I hear a lot a bout it, but when I 
ask around amongst the people I know, I generally get "no, you?"



> Oh, and you probably should ask separately for IPv4 and IPv6. ;)


I'll ask about v6 when v6 is becomes more than just a flamefest that fills my nanog (er i mean newnog) folder. ;)

jeff

Attachment: smime.p7s
Description: