[48428] in North American Network Operators' Group
RE: Bogon list
daemon@ATHENA.MIT.EDU (Barry Raveendran Greene)
Tue Jun 4 13:03:28 2002
From: "Barry Raveendran Greene" <bgreene@cisco.com>
To: "Richard A Steenbergen" <ras@e-gerbil.net>,
"Rob Thomas" <robt@cymru.com>
Cc: "NANOG" <nanog@merit.edu>
Date: Tue, 4 Jun 2002 10:00:53 -0700
In-Reply-To: <20020604161510.GY12164@overlord.e-gerbil.net>
Errors-To: owner-nanog-outgoing@merit.edu
> The problem with bogon lists is that they change on a fairly regular
> basis, for example each time a registry is given a new /8 to allocate
> from. This makes the role of maintaining an "official" list of bogons
> somewhat important, and the job of updating them somewhat annoying. :)
Ingress peering filters have to be maintained. That comes with the
territory. If you use Net Police filtering (i.e. explicit permit - only
allow the RIR's blocks), you'll need to modify the list as the RIR's get new
blocks allocated to them. If you use Bogon filtering (i.e. explicit deny -
denying bogons and allowing everything else), you'll need to modify the list
as the RIR's get new blocks allocated to them.
Doing neither increases the risk of your network to BGP garbage attacks
(i.e. incidents like the AS7007 fun).
All Rob did is make it easier for those who do not like the Net Police
filtering techniques. Now you have some templates to help get started with a
bogon based ingress filter.