Re: [address-policy-wg] New Draft Document: De-boganising New AddressBlocks

[Rob Thomas <]

Hi, Andre.

There are presently 95 bogon prefixes advertised by the bogon
route-servers.  That is plenty of space from which to generate
spoofed source addresses.  The reality is that the miscreants are
seeing a lower return on the investment when spoofing from bogon
prefixes.  Thus they are more inclined to use routed space as the
source of spoofed addresses.  You can see this in much of the
more popular spoofed packet generating malware.  A lot of this
malware specifically checks to ensure that the source addresses
are not bogons, or ensures that the source addresses are in the
same /16 as where the infected host resides.

If the malware spoofs within its own /16, or has blocks to ensure
that bogon prefixes are not used in the spoofing, suddenly
"perfection" isn't so perfect.  These addresses most certainly
will be in the routing tables of most routers.  This is why we
never state that bogon filtering is the perfect answer to the
problem of spoofing.

] There is absolutely no service for the RIRs or IANA to provide.  You
] have got all tools you need already.  If the source address is not
] routed, then don't route it.  Very easy, very fast, very stable, no
] maintainance overhead, nothing that can go wrong.  Just perfect.

Ah, but that isn't perfect if the source address is routed when it
shouldn't be.  :)  What if a bogon gets into the FIB of a router?
One must filter to ensure that the routing table only includes
legitimate prefixes.  This is why I mentioned uRPF with prefix
filtering in my previous note, and also why I suggested that there
is more than one way to solve the problem.  :)

Thanks,
Rob.
-- 
Rob Thomas
http://www.cymru.com
ASSERT(coffee != empty);