[95185] in North American Network Operators' Group
Re: Where are static bogon filters appropriate? was: 96.2.0.0/16 Bogons
daemon@ATHENA.MIT.EDU (Jason Frisvold)
Sun Mar 4 15:48:55 2007
Date: Sun, 4 Mar 2007 15:48:03 -0500
From: "Jason Frisvold" <xenophage0@gmail.com>
To: "Roland Dobbins" <rdobbins@cisco.com>
Cc: NANOG <nanog@merit.edu>
In-Reply-To: <560AF811-A3D9-468D-BBEC-B4FEBE04AF2A@cisco.com>
Errors-To: owner-nanog@merit.edu
On 3/2/07, Roland Dobbins <rdobbins@cisco.com> wrote:
> No one has done the digging required to answer any of these
> questions, unfortunately.
Can you get a valid answer to this based on the existence of BCP38?
What I mean is, if your upstream is filtering bogons, you can't get a
good read on the amount of "bad" traffic sourcing from "illegal"
addresses. However, I'm sure it's there. If we stop filtering
so-called "bad" addresses, I'm sure that the attacks from those
addresses will increase when it's realized that the filters are gone.
I agree with others in that you can't stop looking for old attacks
just because they don't happen much anymore. But we can improve the
ways we look. uRPF is definitely a dynamic option, but as I
understood it, there were issues with using it on multi-homed networks
with asynchronous routing. Granted, it has been some time since I've
looked at uRPF.
I think something like the Cymru bogon route server is great, but I'm
not a very trusting person when it comes to something like that. I
don't like giving up that level of control. Of course, at some point,
I suppose have to trust something...
I definitely believe in filtering both bogons and RFC 1918 space, it's
just a management issue that has to be dealt with.
> -----------------------------------------------------------------------
> Roland Dobbins <rdobbins@cisco.com> // 408.527.6376 voice
--
Jason 'XenoPhage' Frisvold
XenoPhage0@gmail.com
http://blog.godshell.com
