69/8...this sucks
Larry J. Blunk
ljb at merit.edu
Tue Mar 11 21:00:33 UTC 2003
Appologies for the poor attempt at humor... However, there
is some useful content at the end of the message.
Essentially, I think this is one of those problems that can
never fully be solved. Just as we will never get every last
worm-infected host off the network.
The best that we can do is provide procedures for those who
filter on unallocated space so than can keep their
filters updated on a timely and accurate basis.
For those who do not wish to use such procedures, we
should stridently urge them to filter only on martians,
not unallocated space.
-Larry Blunk
Merit
> I agree.
>
> -----Original Message-----
> From: Rick Duff [mailto:rduff at qwest.net]
> Sent: Tuesday, March 11, 2003 2:09 PM
> To: 'Larry J. Blunk'; 'Andy Dills'
> Cc: 'Ejay Hire'; nanog at merit.edu
> Subject: RE: 69/8...this sucks
>
>
>
> I've never posted to the list, just lurk, for over a year now, but this
> has to be said. Can we please take this discussion off-list to private
> conversation. It's gotten worse then spam. I see a nanog message and
> just start deleting them now.
>
> -rd
>
>
> -----Original Message-----
> From: owner-nanog at merit.edu [mailto:owner-nanog at merit.edu] On Behalf Of
> Larry J. Blunk
> Sent: Tuesday, March 11, 2003 1:01 PM
> To: Andy Dills
> Cc: Ejay Hire; nanog at merit.edu
> Subject: Re: 69/8...this sucks
>
>
>
> >
> > On Tue, 11 Mar 2003, Ejay Hire wrote:
> >
> > > Er, guys... How does this fix the problem of a Malicious user
> > > advertising a more specific bogon route?
> >
> > Come on...clearly you haven't been paying attention.
> >
> > You need LDAP filters. LDAP filters and a South Vietnamese revolution
> > against the IRRs for being fragmented and greedy.
>
> Careful. We are watching and are prepared to ruthlessly squash
> any attempted rebellion.
>
> >
> > And if that doesn't poison your inverse arp, then multiplex a private
> > bogon server with a centralized host scanner-based DNSBL. Don't forget
> the
> > trailing dot! And don't forget to invert the subnet mask!
> >
>
> Hey, I've already thought of all that and captured it in an
> XML schema (with ASN.1 encoding)! I will be presenting an Internet
> Draft next week at the IETF in the CRISP/RPSEC/GROW/IDR meetings.
>
>
> Seriously... As has been suggested, I think we need to do
> a better job of identifying the population and type of devices
> that are filtering these prefixes. Are they really predominately
> BGP speaking routers, or largely some mishmash of non-BGP speaking
> firewalls/proxies/NAT's?
>
> If it's the former, then a BGP based solution has some merit.
> If the latter, I think it unreasonable to expect these
> firewalls to speak BGP. What's needed is a canonical
> represention of the bogon list and some tools to generate
> the filter list in the appropriate config format for a number
> target devices.
>
> There's already a canonical list maintained by Rob Thomas
> in the RADB (see fltr-martian, fltr-unallocated, and
> fltr-bogons). I've suggested to Rob that he may want
> to include a PGP signature in a remarks section of the object
> to provide a greater level of confidence (hopefully with
> a key that's escrowed somehow -- god forbid anything should
> happen to Rob). I should also note that some of the
> RIR's have indicated they will be providing more
> precise information on their unallocated space.
>
> As far as tools go, while IRRToolSet has extensive
> support for RPSL, it may be too complex for a novice
> Net admin. Perhaps some simple Perl scripts to generate
> filter configs from RPSL filter objects would be useful?
>
>
> Larry Blunk
> Merit
>
More information about the NANOG
mailing list