|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: [c-nsp] [Re: huge amount of weird traffic on poin-to-point ethernet link]
On Fri, Nov 10, 2006 at 12:54:28PM +0000, [email protected] wrote: > > > > The craziest stuff that gets announced isnt in the > > > reserved/unallocated realm anyway so the effort seems to be > > > disproportional to the benefits... and most issues I read about with > > > reserved space is packets coming FROM them not TO them.... > > > > Steve's 100% spot-on here. I don't have bogon filters at all and it > > hasn't hurt me in the least. I think the notion that this is somehow > > a good practice needs to be quashed. > > I think there is a terminology problem here. People think > that "bogons" means "bogus routes". From that they infer > that bogus routes should be filtered and use the Cymru feed > because it seems to be a no-brainer. > > The problem arises because the Cymru feed only contains > the low-hanging fruit. It only refers to address ranges > that *might* be bogus and which are easy to identify. > The problem is that if you pick this fruit, it soon goes > rotten and you end up filtering address ranges which are > in use and almost certainly not bogus. > > If there were some way to have a feed of real bogons, > i.e. address prefixes that are *KNOWN* to be bogus at > the point in time they are in the feed, that would be > useful for filtering. And it would likely be a best practice > to use such a feed. > > But at the present time, such a feed does not exist. > > Also, I think that anyone contemplating creating a new > feed should give some thought to what they are doing. > It would be very useful to have a feed or database which > can assign various attributes to address ranges. When there > is only one possible attribute, bogon, then the meaning > of the attribute gets stretched and the feed becomes useless. > But if there are many attributes such as > UNALLOCATED, UNASSIGNED, DOS-SOURCE, SPAM-SOURCE, > RIR-REGISTERED then it starts to look interesting. > Some networks might like to filter based on several > attributes, others will just filter those with the > DOS-SOURCE attribute. how about PORN-SOURCE, COMMUNIST-SOURCE, DEMOCRACY-SOURCE, TERRORIST-SOURCE, RIGHT-WING-CHRISTIAN-SOURCE, COURT-ISSUED-LIBEL-CASE-SOURCE be careful before you open such a pandoras box... will this scale? who will want to use it? can it be exploited? what sort of liability do you take on by becoming responsible for policing the Internet? Steve
|