[ncc-services-wg] Re: [address-policy-wg] New Draft Document: De-boganising New AddressBlocks
- Previous message (by thread): [address-policy-wg] New Draft Document: De-boganising New AddressBlocks
- Next message (by thread): [ncc-services-wg] Re: [address-policy-wg] New Draft Document: De-boganising New AddressBlocks
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Jørgen Hovland
jorgen at hovland.cx
Wed Feb 25 22:23:48 CET 2004
Hi On Wed, 25 Feb 2004, Andre Oppermann wrote: > Rob Thomas wrote: > > > > Hi, team. > > > > ] Andre is right, the best solution is definitely not to filter bogons. > > > > Best solution for what problem, exactly? :) > > That is the biggest question. It seems to be a moving target. The > first problem mentioned was nasty spammers announcing prefixes from > IANA reserved netblocks. Now you open a second one with stating that > address spoofing from bogon ranges is a problem. > > > Bogon filtering does help, though it can be accomplished in a variety > > of ways (e.g. bogon route-servers, ACLs, uRPF with prefix filtering). > > Positive bogon filtering is exactly the wrong thing to do. It simply > doesn't scale. You don't want to get packets with non-routed source > addresses. This again is very much different from bogons. There are > many prefixes out of the allocated netblocks which are not routed in > the global routing system. The only real fix you apply here is to > check the source address of a packet if it is routeable. If not, just > drop it. That alone is saving you any traffic from any kind of bogus > prefix or netblock. And the best of it is it automagically takes care > of adjusting to new netblocks without any operator invention! > There are actually some people here doing exactly that: Sending packets with an unroutable source-ip - with totally "legit" reasons. It's bad enough that people actually use bogon-filters for reserved blocks when it after my oppinion should be limited to unallocated blocks (for traffic blocking, not routes). You simply don't block anyones ip-range just because it isn't routable. Blocking traffic is a security concern (still after my oppinion). Internet was probably designed for bi-directional communication, but it doesn't mean you should ban one-way communication. > Summary: Bogon filtering based on the IANA reserved listings is very > much bogus in itself. > The problem with any list is that you have to maintain it. Many people don't do that. The general solution could be to stop using bogon filters at all? I have seen it too, spammers advertising unallocated prefixes. Don't have a routing-based solution to that. Spammers could might as well announce an allocated block already routed or not. That's something to think about! Joergen Hovland ENK
- Previous message (by thread): [address-policy-wg] New Draft Document: De-boganising New AddressBlocks
- Next message (by thread): [ncc-services-wg] Re: [address-policy-wg] New Draft Document: De-boganising New AddressBlocks
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]