North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: 69/8...this sucks
Appologies for the poor attempt at humor... However, there is some useful content at the end of the message. Essentially, I think this is one of those problems that can never fully be solved. Just as we will never get every last worm-infected host off the network. The best that we can do is provide procedures for those who filter on unallocated space so than can keep their filters updated on a timely and accurate basis. For those who do not wish to use such procedures, we should stridently urge them to filter only on martians, not unallocated space. -Larry Blunk Merit > I agree. > > -----Original Message----- > From: Rick Duff [mailto:[email protected]] > Sent: Tuesday, March 11, 2003 2:09 PM > To: 'Larry J. Blunk'; 'Andy Dills' > Cc: 'Ejay Hire'; [email protected] > Subject: RE: 69/8...this sucks > > > > I've never posted to the list, just lurk, for over a year now, but this > has to be said. Can we please take this discussion off-list to private > conversation. It's gotten worse then spam. I see a nanog message and > just start deleting them now. > > -rd > > > -----Original Message----- > From: [email protected] [mailto:[email protected]] On Behalf Of > Larry J. Blunk > Sent: Tuesday, March 11, 2003 1:01 PM > To: Andy Dills > Cc: Ejay Hire; [email protected] > Subject: Re: 69/8...this sucks > > > > > > > On Tue, 11 Mar 2003, Ejay Hire wrote: > > > > > Er, guys... How does this fix the problem of a Malicious user > > > advertising a more specific bogon route? > > > > Come on...clearly you haven't been paying attention. > > > > You need LDAP filters. LDAP filters and a South Vietnamese revolution > > against the IRRs for being fragmented and greedy. > > Careful. We are watching and are prepared to ruthlessly squash > any attempted rebellion. > > > > > And if that doesn't poison your inverse arp, then multiplex a private > > bogon server with a centralized host scanner-based DNSBL. Don't forget > the > > trailing dot! And don't forget to invert the subnet mask! > > > > Hey, I've already thought of all that and captured it in an > XML schema (with ASN.1 encoding)! I will be presenting an Internet > Draft next week at the IETF in the CRISP/RPSEC/GROW/IDR meetings. > > > Seriously... As has been suggested, I think we need to do > a better job of identifying the population and type of devices > that are filtering these prefixes. Are they really predominately > BGP speaking routers, or largely some mishmash of non-BGP speaking > firewalls/proxies/NAT's? > > If it's the former, then a BGP based solution has some merit. > If the latter, I think it unreasonable to expect these > firewalls to speak BGP. What's needed is a canonical > represention of the bogon list and some tools to generate > the filter list in the appropriate config format for a number > target devices. > > There's already a canonical list maintained by Rob Thomas > in the RADB (see fltr-martian, fltr-unallocated, and > fltr-bogons). I've suggested to Rob that he may want > to include a PGP signature in a remarks section of the object > to provide a greater level of confidence (hopefully with > a key that's escrowed somehow -- god forbid anything should > happen to Rob). I should also note that some of the > RIR's have indicated they will be providing more > precise information on their unallocated space. > > As far as tools go, while IRRToolSet has extensive > support for RPSL, it may be too complex for a novice > Net admin. Perhaps some simple Perl scripts to generate > filter configs from RPSL filter objects would be useful? > > > Larry Blunk > Merit >
|