[106889] in North American Network Operators' Group
Re: Is it time to abandon bogon prefix filters?
daemon@ATHENA.MIT.EDU (Laurence F. Sheldon, Jr.)
Fri Aug 15 11:32:00 2008
Date: Fri, 15 Aug 2008 10:31:44 -0500
From: "Laurence F. Sheldon, Jr." <LarrySheldon@cox.net>
To: "nan >> \"nanog@nanog.org\"" <nanog@nanog.org>
In-Reply-To: <48A59E36.6070104@psg.com>
Errors-To: nanog-bounces@nanog.org
Randy Bush wrote:
> in the field != untouched/unloved
>
> i contend that all one's routers should be rigorously configured as
> programmatically as possible.
It seems to me that those are the routers where the filtering of both
packets and routes is easiest and most effective. If every such router
(which almost be definition knows what source addresses and routes are
legitimate) filtered out all the crap, there would not be much crap
getting to the DFZ.
Too hard. I don't think so. When I administered a /16 with "only" a
hundred or so such routers, a simple skeleton config-file-base allowed
quick construction of a config file at installation--which was then
rarely touched ever again. (We did log at a central location and used
SNMP monitors for supervison.)
--
Requiescas in pace o email Two identifying characteristics
of System Administrators:
Ex turpi causa non oritur actio Infallibility, and the ability to
learn from their mistakes.
Eppure si rinfresca
ICBM Targeting Information: http://tinyurl.com/4sqczs
