Is it time to abandon bogon prefix filters?

Skywing Skywing at valhallalegends.com
Wed Aug 6 17:25:08 UTC 2008


Then again, it does make Team Cymru an attractive target for DoS or even compromise if they can control routing policy to a degree for a large number of disparate networks.  Especially if it gets in the way of for-profit spammers.

(Not trying to knock them, just providing a for consideration.  I would certainly hope and expect that Team Cymru would do their due dilligance in that respect, but it seems like an attractive central point of failure to attack to me.)

- S

(Sent via dumb phone mail client, apologies for any formatting badness).

-----Original Message-----
From: Patrick W. Gilmore <patrick at ianai.net>
Sent: Wednesday, August 06, 2008 11:59
To: NANOG list <nanog at nanog.org>
Subject: Re: Is it time to abandon bogon prefix filters?

On Aug 6, 2008, at 11:46 AM, Laurence F. Sheldon, Jr. wrote:
> Leo Bicknell wrote:
>
>> Have bogon filters outlived their use?  Is it time to recommend
>> people
>> go to a simpler bogon filter (e.g. no 1918, Class D, Class E) that
>> doesn't need to be updated as frequently?
>
> Seems like filtering against those could be done on the backplane,
> so to speak.
>
> One of the things that has always puzzled me is this:
>
> In the default-free zone, why is necessary to filter _against_
> anybody?  Seems like traffic for which there is no route would at
> most be dumped to an error-log someplace.
>
> For folks with a default route, I have long advocated (with no
> success what ever) filtering against stuff like the above, your own
> networks as sourced somewhere else, such.

I'm confused.  Why does it matter if you are DF or not?

If the packets are just coming in, there does not need to be a prefix
in the table.

If duplex communication is required (e.g. spam runs), a prefix need to
be in the table whether you have a 0/0 or not.

We know spammers have done runs by announcing a block (which gets it
into the DFZ if it is not filtered properly), send spam, pull prefix.
So again, why does it matter if you have a default route or not?


> I also think a central blacklist a la spamhaus for networks makes
> sense.

See Team Cymru.

--
TTFN,
patrick







More information about the NANOG mailing list