North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Re: Where are static bogon filters appropriate? was: 126.96.36.199/16 Bogons
At 04:18 PM 3/2/2007, Sean Donelan wrote:
On Fri, 2 Mar 2007, Roland Dobbins wrote:Sometimes, network operators have to take the bull by the horns and develop their own systems to do a job that vendors simply don't understand.
How do you know, if you're the one being attacked and you have no idea if the originating network or their immediate upstream implemented BCP38? Shall we just discard ingress filtering? If few attacks are using it today, should we declare it no longer relevant? At the same time we should ask if we should be x-raying shoes at the airport, since there's only been one guy who tried to blow up his shoes. The larger security question is, "do you stop looking for old threats simply because they're not the most common threats?" How many CodeRed packets flow over the Internet on a typical day? I assure you it's not zero.
The initial drafts of the document that became BCP38 were written 10 1/2 years ago, triggered by a serious problem of spoof-based attacks that were causing serious problems including serious interruption of services. The problem had a solution, but one that required cooperation among networks. The operation of the entire Internet required cooperation among networks. I don't know to what degree any sense of cooperation is left these days. Probably won't matter when Google or ATT take over the whole thing. In the mean time, the presence of an ACL line or two at the border of each edge network is NOT a significant burden. Yes, Cisco and others have implemented uRPF that can do the same thing with a bit less typing in some cases. I really don't care which mechanism is used. I do care when my network is hammered with packets. When I send reports to other networks and they can't be sure the packets came from their networks, that's not helpful.
So there, that's my rant about why we might all want to try and keep the 'net a cooperative place, and a bit about how ingress filtering continues to play a part in that cooperation.
This is pretty far from the topic of the bogon list issue with 96/8 though.