|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Best way to get of Bogon list?
On 27-nov-04, at 9:02, Christopher L. Morrow wrote: I've never been a fan of bogon packet filtering (bogon route filtering is more useful), but it occurs to me that it's probably better for us network opertors to do this rather than have each and every firewall admin do it for themselves. be it 'route' filtering or packet filtering' the end result is the same inWell, with uRPF you can turn route filtering into packet filtering, but otherwise they're different. There is nothing bad that a packet with a bogon source can do that a packet with a non-bogon source can't do too. But spammers and the like can hijack unused address space to do untracable nastiness if these routes aren't filtered. Being the internet's firewall is a dangerous proposition, ask those that dropped ICMP on large backbones during welchia... :(There are two big difference between filtering packets with bogon sources and firewalling in general: the bogon stuff can be done just by looking at the source address, and these packets never serve any useful purpose, so they can be filtered anywhere, anytime without problems. (While with ICMP some crazy people actually like to get the port unreachables rather than having to wait for a timeout, or for PMTUD to work.) To some extent this is correct, but these users really need to learn to effectively protect themselves. In the long term atleast. Never teach a pig to sing: it wastes your time and annoys the pig.
|