|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Best way to get of Bogon list?
On Fri, 26 Nov 2004, Iljitsch van Beijnum wrote: > > On 26-nov-04, at 8:29, Christopher L. Morrow wrote: > > >> Can someone identify the *benefits* of using bogon lists for > >> unallocated > >> space? It appears that it only hurts connectivity, but does not help > >> in > >> any significant way to enhance security. > > > It might be a way to proactively keep your part of the network > > 'cleaner' > > than the other parts... 'managed' properly and 'updated' regularly > > (when > > changes dictate an update is required) it might even be seemless to > > your > > userbase. > > > The devil here is, as always, in the details. Once you move beyond some > > number of devices or acls or 'parts', making changes on a wide scale > > and > > keeping things up to date becomes more difficult. > > I've never been a fan of bogon packet filtering (bogon route filtering > is more useful), but it occurs to me that it's probably better for us > network opertors to do this rather than have each and every firewall > admin do it for themselves. be it 'route' filtering or packet filtering' the end result is the same in this case, eh? (no route back means packet drop). Being the internet's firewall is a dangerous proposition, ask those that dropped ICMP on large backbones during welchia... :( Anyway, the problem from the requestor is only going to be remedied by him contacting all the 'bad' people, or their users contacting their providers to get to his interesting content :( Another poster pointed out that static filters are just a bad plan, that reminds me I need to automate updates to the filters on some other things :( I'll bet I'm blocking the original poster's access to some places too :( > > I.e., in networks that do proper BCP38 filtering towards their > customers and bogon filtering on the edges to other networks, customers > will never see packets from bogon sources, making it unnecessary for > them to filter those themselves and thereby improving the plight of > those who get address space that was recently allocated to a RIR by the > IANA. To some extent this is correct, but these users really need to learn to effectively protect themselves. In the long term atleast.
|