North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Is it time to abandon bogon prefix filters?

  • From: Robert E. Seastrom
  • Date: Fri Aug 15 11:12:15 2008

Sean Donelan <[email protected]> writes:

> On Fri, 15 Aug 2008, Robert E. Seastrom wrote:
>> so is there any case to be made for filtering bogons on
>> upstream/peering ingress at all anymore?
>
> Depends on where and how.
>
> On highly managed routers at highly managed interconnection points around
> the Internet, having some basic packet hygiene checks can serve as a
> "fire breaks" to keep the effectiveness of large scale attacks with
> reserved/unallocated address low.
> ...>
> Again, I think bogon filters are a bad idea for unmanaged or
> semi-managed routers (or inclusion as a "default" in anything,
> i.e. Cisco's auto-secure).

You make a very good point about the difference between routers that
are being routinely maintained by highly clueful people and routers
that are in the field and untouched/unloved for months to years at a
time.  The latter is the situation that I was thinking of when I was
talking about the operational hit from the overzealous bogon filters.
Problem is, when we post BCPs they tend to assume a flat application
space (which is a bad plan) or people tend to assume that they are
more clueful or the routers will be better maintained than they
actually will be (the "airport diamond security lane for expert
travelers" problem).

                                        ---Rob