North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Where are static bogon filters appropriate? was: Bogons

  • From: Daniel Senie
  • Date: Fri Mar 02 17:37:07 2007

At 04:18 PM 3/2/2007, Sean Donelan wrote:

On Fri, 2 Mar 2007, Roland Dobbins wrote:
Sometimes, network operators have to take the bull
by the horns and develop their own systems to do a job that vendors
simply don't understand.

Concur - but it seems that many seem to be looking for someone else to do this for them (or, perhaps, the lack of someone to do it for them as an excuse to do nothing at all).

How much of a problem is traffic from unallocated addresses? Backbone operators probably have NetFlow data which they could mine to find out.
On the other hand, how much of a problem is obsolete bogon filters causing
everytime IANA delegates another block to an RIR?

Or by the way, how much spoofed traffic uses allocated addresses?

How do you know, if you're the one being attacked and you have no idea if the originating network or their immediate upstream implemented BCP38? Shall we just discard ingress filtering? If few attacks are using it today, should we declare it no longer relevant? At the same time we should ask if we should be x-raying shoes at the airport, since there's only been one guy who tried to blow up his shoes. The larger security question is, "do you stop looking for old threats simply because they're not the most common threats?" How many CodeRed packets flow over the Internet on a typical day? I assure you it's not zero.

The initial drafts of the document that became BCP38 were written 10 1/2 years ago, triggered by a serious problem of spoof-based attacks that were causing serious problems including serious interruption of services. The problem had a solution, but one that required cooperation among networks. The operation of the entire Internet required cooperation among networks. I don't know to what degree any sense of cooperation is left these days. Probably won't matter when Google or ATT take over the whole thing. In the mean time, the presence of an ACL line or two at the border of each edge network is NOT a significant burden. Yes, Cisco and others have implemented uRPF that can do the same thing with a bit less typing in some cases. I really don't care which mechanism is used. I do care when my network is hammered with packets. When I send reports to other networks and they can't be sure the packets came from their networks, that's not helpful.

So there, that's my rant about why we might all want to try and keep the 'net a cooperative place, and a bit about how ingress filtering continues to play a part in that cooperation.

This is pretty far from the topic of the bogon list issue with 96/8 though.