Re: Is it time to abandon bogon prefix filters?

["Robert E. Seastrom" <rs () seastrom com>]

Randy Bush <randy () psg com> writes:

> > bogon block     attacks % of attacks
> > 0.0.0.0/7       65      0.01
> > 2.0.0.0/8       3       0.00
> > 5.0.0.0/8       3       0.00
> > 10.0.0.0/8      8794    1.21
> > 23.0.0.0/8      4       0.00
> > 27.0.0.0/8      7       0.00
> > 92.0.0.0/6      101     0.01
> > 100.0.0.0/6     374     0.05
> > 104.0.0.0/5     303     0.04
> > 112.0.0.0/5     775     0.11
> > 120.0.0.0/8     45      0.01
> > 127.0.0.0/8     6       0.00
> > 172.16.0.0/12   3646    0.50
> > 174.0.0.0/7     1       0.00
> > 176.0.0.0/5     1       0.00
> > 192.168.0.0/16  7451    1.02
> > 223.0.0.0/8     10      0.00
> > 224.0.0.0/3     8       0.00
>
> well, we can see why andree wanted to look behind the 1918 stuff.  it is
> the elephant.
>
> thanks, danny!
>
> randy

In other words, our earlier estimate of 60% was way off...  you can
get 92.1% effectiveness at bogon filtering by just dropping 1918
addresses, a filter that you will never have to change.

What's the operational cost trade-off with going after that remaining
7.9%?  I'll betcha it's not justifiable.  Maybe it's time to change
the best current practices we recommend so that they stop biting us in
the ass every time a chunk of our ever-dwindling pool of unused
address space goes into play.

My uncle used to tell this joke:

Q:  Why did the man hit himself in the head with a hammer?
A:  Because it felt so good when he stopped?

-r