[76301] in North American Network Operators' Group
Re: Bogon filtering (don't ban me)
daemon@ATHENA.MIT.EDU (Iljitsch van Beijnum)
Sun Dec 5 13:52:29 2004
In-Reply-To: <41B3539A.2070109@ttec.com>
Cc: NANOG list <nanog@merit.edu>
From: Iljitsch van Beijnum <iljitsch@muada.com>
Date: Sun, 5 Dec 2004 19:50:11 +0100
To: Joe Maimon <jmaimon@ttec.com>
Errors-To: owner-nanog-outgoing@merit.edu
On 5-dec-04, at 19:29, Joe Maimon wrote:
> I think that a BGP mechanism to tag routes as "ignore all more
> specifics" would solve this problem nicely. (and perhaps a whole lot
> others -- such as needless deaggregation)
Yeah, like people who are needlessly deaggregating are going to send
out an aggregate with this tag on it...
What you want is a way to inject filters into a box remotely with live
updating. So this is what the vendors should build.
> As far as router vendors such as Cisco autosecure, I do not think
> there is any way to make default access lists lossless. They should
> step up to the plate and offer md5 by system serial number keyed
> multihop BGP bogons in the manner of cymru. Its their responsibility.
Why?
Why should anyone bother?
Why are we even discussing this?
The whole point that started this discussion is that bogon filtering is
HARMFUL a good part of the time. And it doesn't really do anything
useful to begin with! You get to reject packets from dark address
space, but:
- That's only some 40% of all address space, so you need to be able to
deal with the other 60% anyway. Why wouldn't whatever mechanism that
deals with the 60% be unable to deal with the additional 40%?
- (Loose) uRPF will buy you the exact same functionality and more
without any upkeep.
