[95149] in North American Network Operators' Group
Re: Where are static bogon filters appropriate? was: 96.2.0.0/16
daemon@ATHENA.MIT.EDU (Steven M. Bellovin)
Thu Mar 1 21:09:57 2007
Date: Thu, 1 Mar 2007 21:08:59 -0500
From: "Steven M. Bellovin" <smb@cs.columbia.edu>
To: "Chris L. Morrow" <christopher.morrow@verizonbusiness.com>
Cc: Jon Lewis <jlewis@lewis.org>,
Eric Ortega <eric.ortega@midco.net>, nanog@merit.edu
In-Reply-To: <Pine.GSO.4.58.0703011420400.3626@marvin.argfrp.us.uu.net>
Errors-To: owner-nanog@merit.edu
On Thu, 01 Mar 2007 14:22:37 +0000 (GMT)
"Chris L. Morrow" <christopher.morrow@verizonbusiness.com> wrote:
>
> On Thu, 1 Mar 2007, Jon Lewis wrote:
>
> > On Wed, 28 Feb 2007, Eric Ortega wrote:
> >
> > > I'd like to thank the group for the responses and help with this
> > > issue. I find it ironic that Randy's study actually uses 96 space.
> >
> > The amazing/sad thing is that people have been facing and fixing
> > the same problem for more than 4 years. How many times does a
> > network have to fix their static bogon filters before coming to the
> > realization that those filters are a bad idea?
>
> So, where are static bogon filters appropriate? (loaded question
> perhaps) I ask because just about every 'security expert' and
> 'security whitepaper' or 'security suggestions' has some portion that
> speaks to "why it's a grand idea to have acl-lines/firewall-policy tp
> block 'bogon' ip space" (for some definition of 'bogon' of course).
>
Well, not all of us advocate that; see
http://www.merit.edu/mail.archives/nanog/2006-01/msg00150.html
--Steve Bellovin, http://www.cs.columbia.edu/~smb
