[56658] in North American Network Operators' Group
Re: 69/8...this sucks -- Centralizing filtering..
daemon@ATHENA.MIT.EDU (Jack Bates)
Tue Mar 11 20:40:40 2003
From: "Jack Bates" <jbates@brightok.net>
To: "Iljitsch van Beijnum" <iljitsch@muada.com>,
"Peter Galbavy" <peter.galbavy@knowtion.net>
Cc: <nanog@merit.edu>
Date: Tue, 11 Mar 2003 19:39:50 -0600
Errors-To: owner-nanog-outgoing@merit.edu
From: "Iljitsch van Beijnum"
>
> I don't see your point. Packets with bogon sources are just one class of
> spoofed packets. As I've explained earlier S-BGP or soBGP with uRPF will
> get rid of bogons. Neither this or bogon filters on the host will do
> anything against non-bogon spoofed packets.
You're thinking technical. The problem isn't bogon filters per say. The
problem is that someone got it in their head that if you filter packets
using a bogon list, you'll limit the number of possible spoofed packets
allowed into your network. Given than many bots use randomizers, and bogon
networks do cover a large amount of the netspace, this may be true. Then
again, perhaps not. It doesn't matter in the end. The fact remains that
while people may protect the routes from being advertised, many large
providers do not drop packets that do not have valid routes. Because of
this, many firewalls (which don't run BGP) filter based on bogon lists.
Only 1 of the last 6 people I contacted for blocking 69/8 actually had BGP.
-Jack
