[56653] in North American Network Operators' Group
Re: 69/8...this sucks
daemon@ATHENA.MIT.EDU (Andy Dills)
Tue Mar 11 19:49:14 2003
Date: Tue, 11 Mar 2003 19:44:06 -0500 (EST)
From: Andy Dills <andy@xecu.net>
To: Richard A Steenbergen <ras@e-gerbil.net>
Cc: nanog@merit.edu
In-Reply-To: <20030311210731.GQ8839@overlord.e-gerbil.net>
Errors-To: owner-nanog-outgoing@merit.edu
On Tue, 11 Mar 2003, Richard A Steenbergen wrote:
>
> On Tue, Mar 11, 2003 at 11:38:23AM -0800, Owen DeLong wrote:
> >
> > As such, is a BGP feed a panacea? No. Is it a step in the right direction?
> > Yes. Will it solve the problem by itself? No. Will it improve the
>
> So, someone feel free to smack me if I'm mentioning something which has
> been discussed already (there isn't enough masochism in the world to make
> me read this entire thread), buttttt...
>
> How exactly is a BGP feed of bogons useful in any way shape form of
> fashion? It doesn't prevent people from announcing more specifics, it
> doesn't do anything about source address bogons, it can't be used to
> packet filter... How exactly would it do anything other than simply not
> having the route at all?
I guess that emperor is a little naked after all :)
Without applying hard-coded bogon filters to your peers (to prevent
receiving longer prefixes in bogon space), it is essentially useless.
http://www.cymru.com/Documents/secure-bgp-template.html lists a nice
template. But then we're back right where we started, may as well just
have a static ACL...unless you can't afford the ACL hit, in which case
filtering announcements from your peers and routing everything bogon into
a traffic sink would be a great solution.
We're all filtering announcements from our peers anyway, right? :)
Andy
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Andy Dills 301-682-9972
Xecunet, LLC www.xecu.net
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Dialup * Webhosting * E-Commerce * High-Speed Access
