North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

RE: 69/8...this sucks -- Centralizing filtering..

  • From: Christopher L. Morrow
  • Date: Mon Mar 10 12:37:28 2003

On Mon, 10 Mar 2003, Mark Segal wrote:

>
> What surprises me most about this entire thread is the lack of centralized
> filtering.

Central as in 'ALL INTERNET USES MY FILTERING SERVICE' or... 'My network
uses my filter service and your network uses yours'?

>
> Since most service providers should be thinking about a sink hole network
> for security auditing (and backscatter),  why not have ONE place where you
> advertise all unreachable, or better yet -- a default (ie everything NOT
> learned through BGP peers), and just forward the packets to a bit bucket..

This can be VERY dangerous, the default part atleast. At one point we, as
an experiment in stupidity (it turns out) announced 0/1 (almost default).
We quickly recieved well over 600kpps to that announcement. This in a very
steady stream... When one announces a very large block like this there are
always unintended  consequences :( There is alot of traffic spewed out to
non-available address space, this traffic is very large when aggregated :)

> Which is better than an access list since, now we are forwarding packets
> instead of sending them to a CPU to increase router load.

Yes, routes to null0 or to a dead interface/collection host are much nicer
than acls. So, for this perhaps instead of acls uRPF would be a solution
for the implementor?

>
> I don't think ARIN can help the situation.  ISPs just need to remove the
> access lists from each router in the network and centralize them.
>

Or, have an 'automated' manner to deploy/audit/change said acls? RAT
perhaps or some other 'automated' router config checking/deployment tool?

> Regards,
> mark
>
> --
> Mark Segal
> Director, Data Services
> Futureway Communications Inc.
> Tel: (905)326-1570
>
>
> > -----Original Message-----
> > From: E.B. Dreger [mailto:[email protected]]
> > Sent: March 10, 2003 10:17 AM
> > To: [email protected]
> > Subject: Re: 69/8...this sucks
> >
> >
> >
> > > Date: Mon, 10 Mar 2003 09:46:33 +0000
> > > From: Michael.Dillon
> >
> >
> > > I have suggested that ARIN should set up an LDAP server to
> > publish the
> > > delegation of all their IP address space updated
> >
> > Not bad, but will the lazy ISPs set up an LDAP server to
> > track changes they aren't tracking now?  Will those with
> > erroneous filters magically change simply because of LDAP?  I
> > still contend the answer is is a boot to the head that
> > screams to them, "Update your freaking filters!"
> >
> >
> > Eddy
> > --
> > Brotsman & Dreger, Inc. - EverQuick Internet Division
> > Bandwidth, consulting, e-commerce, hosting, and network building
> > Phone: +1 (785) 865-5885 Lawrence and [inter]national
> > Phone: +1 (316) 794-8922 Wichita
> >
> > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> > Date: Mon, 21 May 2001 11:23:58 +0000 (GMT)
> > From: A Trap <[email protected]>
> > To: [email protected]
> > Subject: Please ignore this portion of my mail signature.
> >
> > These last few lines are a trap for address-harvesting
> > spambots. Do NOT send mail to <[email protected]>, or you
> > are likely to be blocked.
> >
>