North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: [c-nsp] [Re: huge amount of weird traffic on poin-to-point ethernet link]

  • From: Stephen Wilcox
  • Date: Fri Nov 10 08:53:56 2006

On Fri, Nov 10, 2006 at 12:54:28PM +0000, [email protected] wrote:
> > > The craziest stuff that gets announced isnt in the
> > > reserved/unallocated realm anyway so the effort seems to be
> > > disproportional to the benefits... and most issues I read about with
> > > reserved space is packets coming FROM them not TO them....
> > 
> > Steve's 100% spot-on here.  I don't have bogon filters at all and it
> > hasn't hurt me in the least.  I think the notion that this is somehow
> > a good practice needs to be quashed.
> I think there is a terminology problem here. People think
> that "bogons" means "bogus routes". From that they infer
> that bogus routes should be filtered and use the Cymru feed
> because it seems to be a no-brainer.
> The problem arises because the Cymru feed only contains 
> the low-hanging fruit. It only refers to address ranges
> that *might* be bogus and which are easy to identify. 
> The problem is that if you pick this fruit, it soon goes
> rotten and you end up filtering address ranges which are
> in use and almost certainly not bogus.
> If there were some way to have a feed of real bogons,
> i.e. address prefixes that are *KNOWN* to be bogus at
> the point in time they are in the feed, that would be
> useful for filtering. And it would likely be a best practice
> to use such a feed.
> But at the present time, such a feed does not exist.
> Also, I think that anyone contemplating creating a new
> feed should give some thought to what they are doing.
> It would be very useful to have a feed or database which
> can assign various attributes to address ranges. When there
> is only one possible attribute, bogon, then the meaning 
> of the attribute gets stretched and the feed becomes useless.
> But if there are many attributes such as
> RIR-REGISTERED then it starts to look interesting.
> Some networks might like to filter based on several
> attributes, others will just filter those with the 
> DOS-SOURCE attribute.


be careful before you open such a pandoras box...

will this scale?

who will want to use it?

can it be exploited?

what sort of liability do you take on by becoming responsible for policing the Internet?