North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: How many backbones here are filtering the makelovenotspam screensaver site?

  • From: Andre Oppermann
  • Date: Fri Dec 03 04:58:28 2004

Hank Nussbacher wrote:
On Fri, 3 Dec 2004, Elmar K. Bins wrote:

And while Cisco's autosecure feature looks fine in most parts (saves
a lazy overworked bum like me a lot of typing), it does not do much
good - in my opinion - when it comes to bogon filtering. I prefer
knowing what the filter looks like, and it does not seem to give me
that, nor any way of modifying the list (correct me if I'm wrong).
See pages 9, 10 and 12 of the PDF I posted.  Specifically, it
sets up: "ip access-list extended autosec_iana_reserved_block", and "ip
access-list extended autosec_complete_bogon" which you of course can
change like any other ACL.
This is broken by design.

Routers would ship with the iana_reserved_block list of when they were
manufactured.  If the user is stoopid enough not to be able to get his
filters from Cymru directly then he should not have any filtering at all
because he is never going to update it anyway in the future.  Ergo lots
of black holes for newly allocated address spaces to the RIR's.

The cure will be far worse than the disease if routers would come with
pre-configured bogon lists.

And you are missing a big point; What bogons are bogons?  In an enterprise
setup the RFC1918 space (10/8, 172.16/12, 192.168/16) is most likely not
a bogon while it most likely is for an ISP.  Breaks right here.

On top of that it is solving a non-problem.  There is only little junk
coming from the non-iana allocated ranges.  And that is easily taken
care of by filtering inbound traffic at the customer edges (ie. allow
customers to send only traffic with source IP's out of the assigned
IP range).

If you do any bogon filtering at all then do it with some automatically
updating system like an BGP bogon feed from Cymru.

--
Andre