North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Where are static bogon filters appropriate? was: Bogons

  • From: Roland Dobbins
  • Date: Fri Mar 02 09:08:03 2007
  • Authentication-results: ind-dkim-2; [email protected]; dkim=pass ( sig from verified; );
  • Dkim-signature: v=0.5; a=rsa-sha256; q=dns/txt; l=2619; t=1172844280; x=1173708280; c=relaxed/simple; s=inddkim2002; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version;; [email protected]; z=From:=20Roland=20Dobbins=20<[email protected]> |Subject:=20Re=3A=20Where=20are=20static=20bogon=20filters=20appropriate? =20was=3A=2096.2.0.0/16=20Bogons |Sender:=20; bh=jvDlEwdbedpL0EmUhayZlKGLKuUuVqPX/jVw97pRWh8=; b=fq/N2daEME2h5qOh3us9SaUFPxz6p9M69n+Z69QItLl1Plji6rFjVk6UDYGOfR6KwvXd6RXv J16k6sEux0VhT9M3YfzE5qweqrylqrJdzK366RbTbkxyY5N5pf7EaicU;

On Mar 2, 2007, at 4:12 AM, Robert E. Seastrom wrote:

uRPF isn't always adequate for all antispoofing cases, as you know. What about iACLs?

filtering by end sites is the sort of thing that is recommended by
"experts" for whom "security" is an end in and of itself, rather than
a component of the arsenal you bring forth (backups, DR, spares,
multihoming, etc) to improve uptime and business availability and
decrease potential risk.

I don't claim to be an 'expert' at anything, but I most certainly - do- recommend bogon filtering, along with multihoming, infrastructure self-protection measures (iACLs, rACLs, CoPP, core-hiding, et. al.), various antispoofing techniques (all the way down to layer-2 where possible), instrumentation and telemetry, anomaly-detection, reaction tools, layer-7 things like backup and DR, layer-8 things like sparing, and so forth. And my goal isn't 'security', it's a resilient Internet infrastructure which keeps the packets flowing so that the users can access the applications which are the point of the whole exercise.

I'm not the only one who thinks like that, either. So, painting us all with the same broad brush hardly seems fair, does it?

Rejecting bogon filtering out of hand because it isn't effortless to maintain doesn't make much sense to me. After all, if one's being a good Internet neighbor, one's doing ingress filtering (routes and packets) from one's customers and egress filtering (routes and packets) to one's peers/transits/customers, anyways; one will see more churn there than in the bogon lists.

It's also part of the very basic protections which ought to be provided to one's customers. No, the SP can't be the 'Internet firewall' for customers, and, no, the SP can't be expected to keep the customer magically protected from all the Bad Things which can happen to him (and for free, naturally), but protecting one's customers from being spammed/packeted from purported source addresses which are by definition nonsensical (as well as protecting everyone else's customers from same) doesn't seem much to ask.

What's needed here are better/easier/less brittle mechanisms for same. Until such time as they're invented and deployed, let's not make the perfect the enemy of the merely good, yes?

Roland Dobbins <[email protected]> // 408.527.6376 voice

The telephone demands complete participation.

-- Marshall McLuhan