Re: Best way to get of Bogon list?

["Christopher L. Morrow" <christopher.morrow () mci com>]

On Fri, 26 Nov 2004 alex () pilosoft com wrote:

> On Thu, 25 Nov 2004, Jon Lewis wrote:
>
> > Its not even just providers.  If it were, it'd be relatively easy to
> > just find and call each NOC.  You're likely to have bogon issues with
> > few large providers.  It's mostly smaller providers and end user
> > networks...some of which are quite large or high profile.
> >
> > Do what I did and give people a way to test connectivity from both
> > affected and unaffected space and setup a 'hall of shame' page listing
> > the IPs/networks that are behind broken filters.
> Can someone identify the *benefits* of using bogon lists for unallocated
> space? It appears that it only hurts connectivity, but does not help in
> any significant way to enhance security.

It might be a way to proactively keep your part of the network 'cleaner'
than the other parts... 'managed' properly and 'updated' regularly (when
changes dictate an update is required) it might even be seemless to your
userbase.

The devil here is, as always, in the details. Once you move beyond some
number of devices or acls or 'parts', making changes on a wide scale and
keeping things up to date becomes more difficult. Change management and
the number of hands in the pot seem to make these things much more
challenging.

> Possibly, whoever are the vendors of software that recommends this
> practice (and authors of security handbooks) should be show the error of
> their ways?

if they did they'd lose part of their punch :( And lose some of their
readerbase... and who'd call you to complain? :)