[106883] in North American Network Operators' Group
Re: Is it time to abandon bogon prefix filters?
daemon@ATHENA.MIT.EDU (Sean Donelan)
Fri Aug 15 10:52:24 2008
Date: Fri, 15 Aug 2008 10:52:15 -0400 (EDT)
From: Sean Donelan <sean@donelan.com>
To: "Steven M. Bellovin" <smb@cs.columbia.edu>
In-Reply-To: <20080815104122.7823c963@cs.columbia.edu>
Cc: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
On Fri, 15 Aug 2008, Steven M. Bellovin wrote:
> Martians plus 1918 space, I'd say, though that requires knowing which
> are border interfaces.
Whether you include or exclude rfc1918 addresses is another issue. Whack
the martians first :-)
Unfortunately, enough ISPs use rfc1918 addresses on their backbone links
filtering rfc1918 also breaks traceroute (* * *) and people use rfc1918
internally enough that rfc1918 requires more professional thought about
configuring those filters.
>From an operational perspective, whacking martians has fewer caveats for
amateur network operators or default equipment configuration settings.
> Other than that, I agree 100% -- bogon filters have little security
> relevance for most sites. Furthermore, as the allocated address space
> increases, the percentage of actual bogon space decreases and the rate
> of false positives -- packets that are rejected that shouldn't be --
> will increase. Security? Remember that availability is a security
> issue, too.
Violent agreement.
