69/8...this sucks

Larry J. Blunk ljb at merit.edu
Tue Mar 11 21:00:33 UTC 2003 


  Appologies for the poor attempt at humor...  However, there
is some useful content at the end of the message.

  Essentially, I think this is one of those problems that can
never fully be solved.  Just as we will never get every last
worm-infected host off the network.

  The best that we can do is provide procedures for those who
filter on unallocated space so than can keep their
filters updated on a timely and accurate basis.

  For those who do not wish to use such procedures, we
should stridently urge them to filter only on martians,
not unallocated space.

 -Larry Blunk
  Merit


> I agree.
> 
> -----Original Message-----
> From: Rick Duff [mailto:rduff at qwest.net]
> Sent: Tuesday, March 11, 2003 2:09 PM
> To: 'Larry J. Blunk'; 'Andy Dills'
> Cc: 'Ejay Hire'; nanog at merit.edu
> Subject: RE: 69/8...this sucks 
> 
> 
> 
> I've never posted to the list, just lurk, for over a year now, but this
> has to be said. Can we please take this discussion off-list to private
> conversation. It's gotten worse then spam. I see a nanog message and
> just start deleting them now.
> 
> -rd
> 
> 
> -----Original Message-----
> From: owner-nanog at merit.edu [mailto:owner-nanog at merit.edu] On Behalf Of
> Larry J. Blunk
> Sent: Tuesday, March 11, 2003 1:01 PM
> To: Andy Dills
> Cc: Ejay Hire; nanog at merit.edu
> Subject: Re: 69/8...this sucks 
> 
> 
> 
> > 
> > On Tue, 11 Mar 2003, Ejay Hire wrote:
> > 
> > > Er, guys...  How does this fix the problem of a Malicious user
> > > advertising a more specific bogon route?
> > 
> > Come on...clearly you haven't been paying attention.
> > 
> > You need LDAP filters. LDAP filters and a South Vietnamese revolution
> > against the IRRs for being fragmented and greedy.
> 
>   Careful.  We are watching and are prepared to ruthlessly squash
> any attempted rebellion.
> 
> > 
> > And if that doesn't poison your inverse arp, then multiplex a private
> > bogon server with a centralized host scanner-based DNSBL. Don't forget
> the
> > trailing dot! And don't forget to invert the subnet mask!
> > 
> 
>    Hey, I've already thought of all that and captured it in an
> XML schema (with ASN.1 encoding)!  I will be presenting an Internet
> Draft next week at the IETF in the CRISP/RPSEC/GROW/IDR meetings. 
> 
> 
>    Seriously...  As has been suggested, I think we need to do
> a better job of identifying the population and type of devices
> that are filtering these prefixes.  Are they really predominately
> BGP speaking routers, or largely some mishmash of non-BGP speaking
> firewalls/proxies/NAT's?
> 
>    If it's the former, then a BGP based solution has some merit.
> If the latter, I think it unreasonable to expect these
> firewalls to speak BGP.  What's needed is a canonical
> represention of the bogon list and some tools to generate
> the filter list in the appropriate config format for a number
> target devices.
> 
>    There's already a canonical list maintained by Rob Thomas
> in the RADB (see fltr-martian, fltr-unallocated, and
> fltr-bogons).   I've suggested to Rob that he may want
> to include a PGP signature in a remarks section of the object
> to provide a greater level of confidence (hopefully with
> a key that's escrowed somehow -- god forbid anything should
> happen to Rob).  I should also note that some of the
> RIR's have indicated they will be providing more
> precise information on their unallocated space.
> 
>    As far as tools go, while IRRToolSet has extensive
> support for RPSL, it may be too complex for a novice
> Net admin.  Perhaps some simple Perl scripts to generate
> filter configs from RPSL filter objects would be useful?
> 
> 
>  Larry Blunk
>  Merit
>

More information about the NANOG mailing list