North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Bogon filtering (don't ban me)

  • From: william(at)elan.net
  • Date: Sun Dec 05 13:04:37 2004

On Sun, 5 Dec 2004, Joe Abley wrote:

> On 5 Dec 2004, at 06:50, Cliff Albert wrote:
> 
> > I have one question regarding the CYMRU bogon route-server. What good 
> > is
> > it if more-specific bogons are going around in the BGP table ?
> 
> With OpenBSD 3.6 running pf and bgpd, you can apply a filter rule to 
> BGP updates received from individual peers which updates a pf radix 
> table with the network received:

PF and bgpd with local filter table is good when you're expecting those
filtered ip routes to change often. But this is not true about bogons
which for cymru IANA-only data changes couple times a year and for 
completewhois full RIR bogon changes once/day. Both of those are not 
often enough that updating firewall filters from active bgp session is 
worth it, its easier to just download list of bogons once/day or once/week 
from web or ftp and update local rules.

Completewhois webpage on how to use our bogon data has all the scripts for
doing bogon firewall filtering on Linux, FreeBSD and OpenBSD machines, 
see http://www.completewhois.com/bogons/using_bogon_lists.htm

---
William Leibzon, Elan Networks:
 mailto: [email protected]
Anti-Spam and Email Security Research Worksite:
 http://www.elan.net/~william/emailsecurity/