nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Is it time to abandon bogon prefix filters?

From: "Robert E. Seastrom" <rs () seastrom com>
Date: Fri, 15 Aug 2008 11:12:06 -0400

Sean Donelan <sean () donelan com> writes:


On Fri, 15 Aug 2008, Robert E. Seastrom wrote:

so is there any case to be made for filtering bogons on
upstream/peering ingress at all anymore?


Depends on where and how.

On highly managed routers at highly managed interconnection points around
the Internet, having some basic packet hygiene checks can serve as a
"fire breaks" to keep the effectiveness of large scale attacks with
reserved/unallocated address low.
...>
Again, I think bogon filters are a bad idea for unmanaged or
semi-managed routers (or inclusion as a "default" in anything,
i.e. Cisco's auto-secure).


You make a very good point about the difference between routers that
are being routinely maintained by highly clueful people and routers
that are in the field and untouched/unloved for months to years at a
time.  The latter is the situation that I was thinking of when I was
talking about the operational hit from the overzealous bogon filters.
Problem is, when we post BCPs they tend to assume a flat application
space (which is a bad plan) or people tend to assume that they are
more clueful or the routers will be better maintained than they
actually will be (the "airport diamond security lane for expert
travelers" problem).

                                        ---Rob
Previous By Date Next
Previous By Thread Next

Current thread: