BGP conf

Jeff Wheeler jsw at inconcepts.biz
Wed Nov 2 21:19:11 CDT 2011


On Wed, Nov 2, 2011 at 10:04 PM, Jack Bates <jbates at brightok.net> wrote:
> Have to read the current cymru bgp templates?
>
> ! manner. Why not consider peering with our globally distributed bogon
> ! route-server project? Alternately you can obtain a current and well

I'm not telling you something you don't already know, but for the
novices who regard this list as a source of expertise, I will explain
in greater detail why this is a really dumb idea.

If you took a list of bogons over eBGP from Cymru, you would get
unused /8s and similar.  What you don't get is a route that matches
whatever silly thing someone on the DFZ accidentally leaked: a
more-specific that will still cause you to route traffic to their
leaked prefix out to the Internet (and presumably, to their network.)

There is nothing good about this.  It's just adding unnecessary
complexity for no operational benefit.  There is bad about it.  It
adds complexity and risk.  What is that risk?  If you decide that the
Cymru "distributed bogon route-server" is for you, and simply rewrite
next-hops received on that session to Null0, it is possible that Cymru
could make an error, or otherwise introduce non-bogon routes into your
network as if they were bogons, causing black-holes.  This is
obviously too much to risk for something that has no operational
benefit.

The Cymru guys do many positive things.  One of the more questionable
things they do, though, is operate a route-server with the intention
of black-holing botnet C&C IPs on a very wide scale.  This is
certainly a positive thing to do, but it was not done in a transparent
manner; and in fact didn't even have management approval at Cogent
when they configured it on their network.  There was no established
channel to find out why your IP address appeared on this list or to
get it removed.  All it took for me to get the whole idea canned at
Cogent was one inquiry to management, asking why engineers had quietly
started using a clandestine blackhole list operated by a third-party
and would not give any answers to a customer if one of their IPs
appeared on that list.  The IP address I inquired about was certainly
not a botnet C&C node, and how it ended up on that list is a mystery.
I'm not saying there was any malicious intent, but it was a mistake at
least.

Trusting that "bogon" black-hole list to do something you don't even
need to do anyway is not smart.  It's *especially* not smart for some
novice who doesn't understand the implications of his decision.  This
is the danger of "cut & paste engineering."

-- 
Jeff S Wheeler <jsw at inconcepts.biz>
Sr Network Operator  /  Innovative Network Concepts



More information about the NANOG mailing list