North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Is it time to abandon bogon prefix filters?
Sean Donelan <[email protected]> writes: > On Fri, 15 Aug 2008, Robert E. Seastrom wrote: >> so is there any case to be made for filtering bogons on >> upstream/peering ingress at all anymore? > > Depends on where and how. > > On highly managed routers at highly managed interconnection points around > the Internet, having some basic packet hygiene checks can serve as a > "fire breaks" to keep the effectiveness of large scale attacks with > reserved/unallocated address low. > ...> > Again, I think bogon filters are a bad idea for unmanaged or > semi-managed routers (or inclusion as a "default" in anything, > i.e. Cisco's auto-secure). You make a very good point about the difference between routers that are being routinely maintained by highly clueful people and routers that are in the field and untouched/unloved for months to years at a time. The latter is the situation that I was thinking of when I was talking about the operational hit from the overzealous bogon filters. Problem is, when we post BCPs they tend to assume a flat application space (which is a bad plan) or people tend to assume that they are more clueful or the routers will be better maintained than they actually will be (the "airport diamond security lane for expert travelers" problem). ---Rob
|