North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical RE: 69/8...this sucks -- Centralizing filtering..
On Mon, 10 Mar 2003, Mark Segal wrote: > > What surprises me most about this entire thread is the lack of centralized > filtering. Central as in 'ALL INTERNET USES MY FILTERING SERVICE' or... 'My network uses my filter service and your network uses yours'? > > Since most service providers should be thinking about a sink hole network > for security auditing (and backscatter), why not have ONE place where you > advertise all unreachable, or better yet -- a default (ie everything NOT > learned through BGP peers), and just forward the packets to a bit bucket.. This can be VERY dangerous, the default part atleast. At one point we, as an experiment in stupidity (it turns out) announced 0/1 (almost default). We quickly recieved well over 600kpps to that announcement. This in a very steady stream... When one announces a very large block like this there are always unintended consequences :( There is alot of traffic spewed out to non-available address space, this traffic is very large when aggregated :) > Which is better than an access list since, now we are forwarding packets > instead of sending them to a CPU to increase router load. Yes, routes to null0 or to a dead interface/collection host are much nicer than acls. So, for this perhaps instead of acls uRPF would be a solution for the implementor? > > I don't think ARIN can help the situation. ISPs just need to remove the > access lists from each router in the network and centralize them. > Or, have an 'automated' manner to deploy/audit/change said acls? RAT perhaps or some other 'automated' router config checking/deployment tool? > Regards, > mark > > -- > Mark Segal > Director, Data Services > Futureway Communications Inc. > Tel: (905)326-1570 > > > > -----Original Message----- > > From: E.B. Dreger [mailto:[email protected]] > > Sent: March 10, 2003 10:17 AM > > To: [email protected] > > Subject: Re: 69/8...this sucks > > > > > > > > > Date: Mon, 10 Mar 2003 09:46:33 +0000 > > > From: Michael.Dillon > > > > > > > I have suggested that ARIN should set up an LDAP server to > > publish the > > > delegation of all their IP address space updated > > > > Not bad, but will the lazy ISPs set up an LDAP server to > > track changes they aren't tracking now? Will those with > > erroneous filters magically change simply because of LDAP? I > > still contend the answer is is a boot to the head that > > screams to them, "Update your freaking filters!" > > > > > > Eddy > > -- > > Brotsman & Dreger, Inc. - EverQuick Internet Division > > Bandwidth, consulting, e-commerce, hosting, and network building > > Phone: +1 (785) 865-5885 Lawrence and [inter]national > > Phone: +1 (316) 794-8922 Wichita > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > Date: Mon, 21 May 2001 11:23:58 +0000 (GMT) > > From: A Trap <[email protected]> > > To: [email protected] > > Subject: Please ignore this portion of my mail signature. > > > > These last few lines are a trap for address-harvesting > > spambots. Do NOT send mail to <[email protected]>, or you > > are likely to be blocked. > > >
|