North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Re: Bogon filtering (don't ban me)
On 5-dec-04, at 19:29, Joe Maimon wrote:
I think that a BGP mechanism to tag routes as "ignore all more specifics" would solve this problem nicely. (and perhaps a whole lot others -- such as needless deaggregation)Yeah, like people who are needlessly deaggregating are going to send out an aggregate with this tag on it...
What you want is a way to inject filters into a box remotely with live updating. So this is what the vendors should build.
As far as router vendors such as Cisco autosecure, I do not think there is any way to make default access lists lossless. They should step up to the plate and offer md5 by system serial number keyed multihop BGP bogons in the manner of cymru. Its their responsibility.Why?
Why should anyone bother?
Why are we even discussing this?
The whole point that started this discussion is that bogon filtering is HARMFUL a good part of the time. And it doesn't really do anything useful to begin with! You get to reject packets from dark address space, but:
- That's only some 40% of all address space, so you need to be able to deal with the other 60% anyway. Why wouldn't whatever mechanism that deals with the 60% be unable to deal with the additional 40%?
- (Loose) uRPF will buy you the exact same functionality and more without any upkeep.