About RIPE | Contact  | Search | Sitemap    
Homepage RIPE  
RIPE Community Mail Archives
search  
     
Next Sectionyou are here: RIPE -> RIPE Maillists > Archives
RIPE Navigation Ends
About RIPE Maillists
Maillists Archive
Global Lists
Non Active Lists
RIPE NCC Navigation Ends
Next Section
<<< Chronological >>> Author Index    Subject Index <<< Threads >>>

Re: [ncc-services-wg] Re: [address-policy-wg] New Draft Document:De-boganising New AddressBlocks

  • To: Andre Oppermann < >
  • From: Jørgen Hovland < >
  • Date: Wed, 25 Feb 2004 22:23:48 +0100 (CET)
  • Cc: Rob Thomas < >
    "Barry Greene (bgreene)" < >
    "'Jerome Fleury'" < >
Hi

On Wed, 25 Feb 2004, Andre Oppermann wrote:

> Rob Thomas wrote:
> >
> > Hi, team.
> >
> > ] Andre is right, the best solution is definitely not to filter bogons.
> >
> > Best solution for what problem, exactly?  :)
>
> That is the biggest question.  It seems to be a moving target.  The
> first problem mentioned was nasty spammers announcing prefixes from
> IANA reserved netblocks.  Now you open a second one with stating that
> address spoofing from bogon ranges is a problem.
>
> > Bogon filtering does help, though it can be accomplished in a variety
> > of ways (e.g. bogon route-servers, ACLs, uRPF with prefix filtering).
>
> Positive bogon filtering is exactly the wrong thing to do.  It simply
> doesn't scale.  You don't want to get packets with non-routed source
> addresses.  This again is very much different from bogons.  There are
> many prefixes out of the allocated netblocks which are not routed in
> the global routing system.  The only real fix you apply here is to
> check the source address of a packet if it is routeable.  If not, just
> drop it.  That alone is saving you any traffic from any kind of bogus
> prefix or netblock.  And the best of it is it automagically takes care
> of adjusting to new netblocks without any operator invention!
>

There are actually some people here doing exactly that: Sending packets
with an unroutable source-ip - with totally "legit" reasons.
It's bad enough that people actually use bogon-filters for
reserved blocks when it after my oppinion should be limited to
unallocated blocks (for traffic blocking, not routes).
You simply don't block anyones ip-range just because it isn't routable.
Blocking traffic is a security concern (still after my oppinion).
Internet was probably designed for bi-directional communication, but it
doesn't mean you should ban one-way communication.

> Summary: Bogon filtering based on the IANA reserved listings is very
> much bogus in itself.
>

The problem with any list is that you have to maintain it. Many people
don't do that. The general solution could be to stop using bogon
filters at all?
I have seen it too, spammers advertising unallocated prefixes.
Don't have a routing-based solution to that. Spammers could might as well
announce an allocated block already routed or not. That's something to
think about!

Joergen Hovland ENK
  • Post To The List:
<<< Chronological >>> Author    Subject <<< Threads >>>
 

Next Section
     About RIPE | Site Map | LIR Portal | About the RIPE NCC | Contact | © RIPE Community. All rights reserved.
RIPE.NET Homepage LIR Portal RIPE Community