North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: [c-nsp] [Re: huge amount of weird traffic on poin-to-pointethernet link]

  • From: Robert E. Seastrom
  • Date: Thu Nov 09 18:55:55 2006

Niels Bakker <[email protected]> writes:

> * [email protected] (Robert E. Seastrom) [Thu 09 Nov 2006, 16:02 CET]:
> [..]
>> Steve's 100% spot-on here.  I don't have bogon filters at all and it
>> hasn't hurt me in the least.  I think the notion that this is
>> somehow a good practice needs to be quashed.
> Yeah!  This "Principle of minimal privilege" is totally not applicable
> to real, live networks...

I'm not sure what principle of minimal privilege has to do with
filtering addresses that are known unissued.  Seems to me that the
principle of minimal privilege would allow connections only from
addresses from which you are specifically expecting them, not from
"the internet at large minus a few blocks that aren't issued".
Particularly in the case of spam abatement, where the vast majority of
spam comes from compromised Windows hosts (which are probably *not*
residing on unissued space), I can't see the point.  We could get into
some kind of meta-discussion about DoS attacks and the like, but at
that point you probably want your upstream doing the filtering for you
before it clogs your links.  Bottom line: my gut feeling is that the
threat that unissued "bogon" space poses pales in comparison to the
Bad Neighborhood that is the Internet.  I would welcome a pointer to
some kind of actual research that shows this to be incorrect.

Of course, bogon filtering is a fine security blanket for those whose
scope of knowledge is not sufficient to perform a meaningful
threat/risk assessment.  As for me, I prefer to rivet horseshoes (open
end up, to catch the good luck falling from above) to the cable tray
above my racks.  Oh yeah, religiously adhering to BCP-38 as well, that
brings luck too.