[95158] in North American Network Operators' Group
Re: Where are static bogon filters appropriate? was: 96.2.0.0/16 Bogons
daemon@ATHENA.MIT.EDU (Robert E. Seastrom)
Fri Mar 2 07:13:28 2007
To: Roland Dobbins <rdobbins@cisco.com>
Cc: NANOG <nanog@merit.edu>
From: "Robert E. Seastrom" <rs@seastrom.com>
Date: Fri, 02 Mar 2007 07:12:32 -0500
In-Reply-To: <3C7D9E3F-B007-43F3-B2FB-25FCEF6E6A85@cisco.com> (Roland Dobbins's message of "Thu, 1 Mar 2007 14:40:16 -0800")
Errors-To: owner-nanog@merit.edu
Roland Dobbins <rdobbins@cisco.com> writes:
> On Mar 1, 2007, at 1:10 PM, Chris L. Morrow wrote:
>
>> So... again, are bogon filters 'in the core' useful? (call 'core' some
>> network not yours)
>
> Antispoofing is 'static' and therefore brittle in nature, people
> change jobs, etc. - so, we shouldn't do antispoofing, either?
Unicast RPF is neither static nor brittle, and we should do it.
I agree with smb though in somewhat less diplomatic terms - bogon
filtering by end sites is the sort of thing that is recommended by
"experts" for whom "security" is an end in and of itself, rather than
a component of the arsenal you bring forth (backups, DR, spares,
multihoming, etc) to improve uptime and business availability and
decrease potential risk.
For people who recommend cures that are as bad as the disease, we
recommend one of these: http://despair.com/consulting.html
---Rob
