69/8...this sucks

Larry J. Blunk ljb at merit.edu
Tue Mar 11 20:01:01 UTC 2003



> 
> On Tue, 11 Mar 2003, Ejay Hire wrote:
> 
> > Er, guys...  How does this fix the problem of a Malicious user
> > advertising a more specific bogon route?
> 
> Come on...clearly you haven't been paying attention.
> 
> You need LDAP filters. LDAP filters and a South Vietnamese revolution
> against the IRRs for being fragmented and greedy.

  Careful.  We are watching and are prepared to ruthlessly squash
any attempted rebellion.

> 
> And if that doesn't poison your inverse arp, then multiplex a private
> bogon server with a centralized host scanner-based DNSBL. Don't forget the
> trailing dot! And don't forget to invert the subnet mask!
> 

   Hey, I've already thought of all that and captured it in an
XML schema (with ASN.1 encoding)!  I will be presenting an Internet
Draft next week at the IETF in the CRISP/RPSEC/GROW/IDR meetings. 


   Seriously...  As has been suggested, I think we need to do
a better job of identifying the population and type of devices
that are filtering these prefixes.  Are they really predominately
BGP speaking routers, or largely some mishmash of non-BGP speaking
firewalls/proxies/NAT's?

   If it's the former, then a BGP based solution has some merit.
If the latter, I think it unreasonable to expect these
firewalls to speak BGP.  What's needed is a canonical
represention of the bogon list and some tools to generate
the filter list in the appropriate config format for a number
target devices.

   There's already a canonical list maintained by Rob Thomas
in the RADB (see fltr-martian, fltr-unallocated, and
fltr-bogons).   I've suggested to Rob that he may want
to include a PGP signature in a remarks section of the object
to provide a greater level of confidence (hopefully with
a key that's escrowed somehow -- god forbid anything should
happen to Rob).  I should also note that some of the
RIR's have indicated they will be providing more
precise information on their unallocated space.

   As far as tools go, while IRRToolSet has extensive
support for RPSL, it may be too complex for a novice
Net admin.  Perhaps some simple Perl scripts to generate
filter configs from RPSL filter objects would be useful?


 Larry Blunk
 Merit




More information about the NANOG mailing list