[125118] in North American Network Operators' Group
Re: BGP hijack from 23724 -> 4134 China?
daemon@ATHENA.MIT.EDU (Danny McPherson)
Fri Apr 9 00:06:06 2010
From: Danny McPherson <danny@tcb.net>
In-Reply-To: <4BBE9263.6050100@2mbit.com>
Date: Thu, 8 Apr 2010 22:05:23 -0600
To: "nanog@nanog.org list" <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Apr 8, 2010, at 8:35 PM, Brielle Bruns wrote:
>=20
> More harm then good is a matter of opinion. Denying all of mainland =
China reduces the amount of attacks on my network. If you consider that =
masking security problems rather then fixing them, then *shrugs*. Its =
just one of many layers. It also allows me to make and enforce the =
statement that I will not tolerate the bullshit China pulls.
FWIW, I get it - folks are surely going to implement local security=20
policies that are first aligned with corporate [and national] security=20=
objectives.
My concern is that if people think bogon filters break stuff, just wait
until a couple thousand networks start selectively filtering countries=20=
based on some notion of geoIP mappings (e.g., CN today, KP and IR=20
tomorrow, etc..), when in many cases prefixes span lots of national=20
boundaries (as do many ASNs) - the Internet will continue to fragment
and brokenness will result.
As an example of how such network filtering policies might well become=20=
an operational problem consider a client using Online Certificate Status=20=
Protocol (OCSP) with X.509 digital certificates before setting up a =
secure
connection to a web server somewhere in Asia (the server itself may well=20=
NOT be inside of China). The client, wanting to inquire as to the state=20=
(revocation status) of a particular certificate generated by that CNNIC=20=
CA embedded in their Firefox client, reaches out to an OCSP server =
that's=20
authoritative for the cert - in this case CNNIC. Unfortunately, CNNIC,=20=
which primarily resides within 218.241.0.0/16, isn't reachable because=20=
of this entry in your ACL:=20
access-list 199 deny ip 218.240.0.0 0.7.255.255 any
Now, whether you or any of the users on your network choose to leave =
that=20
CNNIC CA (or others) enabled in your client is a separate issue, but=20
default drop policies such as you're recommending can certainly result
in some collateral damage that can be very tedious to debug, and =
possibly
even broaden attack surfaces themselves.
I'm not particularly a fan of bogon filters for reasons outlined here=20
and elsewhere many times before - and bogon addresses theoretically=20
don't have live clients and servers folks might be legitimately be=20
transacting with.=20
-danny=
