|
|
|
|
|
|
|
|
|
|
|
|
| home | help | back | first | fref | pref | prev | next | nref | lref | last | post |
Date: Sun, 5 Dec 2004 22:06:08 +0100 From: Cliff Albert <cliff@oisec.net> To: Iljitsch van Beijnum <iljitsch@muada.com> Cc: NANOG <nanog@merit.edu> In-Reply-To: <83F0FB83-46FF-11D9-9B05-000A95CD987A@muada.com> Errors-To: owner-nanog-outgoing@merit.edu On Sun, Dec 05, 2004 at 09:52:02PM +0100, Iljitsch van Beijnum wrote: > > <http://www.cymru.com/Documents/secure-bgp-template.html> > > Note though that so far, nobody has tried to inject bogon routes into > the global routing table just so packets from bogon sources wouldn't be > filtered. The reason we want this is because of address space hijacking > (such as done by spammers) and configuration mistakes. So filtering at > the /8 level as in the document linked above isn't really going to buy > you much in practice. /8 le /32 still stands for /8 and more-specifics as I remember ? :) Secondly not everything is about security but also about keeping routing tables clean and useful, as more people noticed today. Filtering bogons away is just an extra step in making sure that you transport real traffic instead of bogus traffic of which you are 100% sure that it's *useless* traffic. uRPF will fix it for your own network, but filtering bogon routes away in BGP will also make your downstream a happier place. The only argument from you I have seen against bogon filtering is the fact that the lists aren't updated by certain parties. -- Cliff Albert <cliff@oisec.net>
|
|
|
|
|
|
|
|
|
|
|
|
| home | help | back | first | fref | pref | prev | next | nref | lref | last | post |