Bogon filtering (don't ban me)

• Previous message (by thread): Bogon filtering (don't ban me)
• Next message (by thread): Bogon filtering (don't ban me)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, 3 Dec 2004, J. Oquendo wrote:

>
>
> Considering the talk of banning going on, I was reluctant to post this,
> anyhow, I wondered how many (if any) have ever thought about the aspect of
> vendors deciding to implement some form of default bogon filtering on their
> products. With all of the talk about DoS botnets, and issues surrounding
> allocated address ranges (for whatever the purpose), I'm curious to know
> why a vendor like Juniper, or Cisco, or whomever doesn't implement a
> mechanism to automatically do the filtering. Wouldn't this minimize a vast
> amount of issues surrounding DoS attacks?
>
> >From an admin/user perspective, I would not mind having my equipment
> implement this as long as it was manageable to add/remove addresses on the
> fly. Perhaps a command line syntax:
>
> ip bogon add add.res.s/8
>
> or
>
> ip bogon remove add.res.s/8
>

do you mean like using uRPF and null routes of the bogon/unallocated
networks to drop traffic on input? cause that's already there...

> I thought about it over and over, and wonder why this hasn't been done.
> Any care to beat me with a clue stick or two. I can understand the

it has been done... see any of the several past nanog presentations on
security that Barry Greene, Tim Battles, Wayne Gustavus have given (and
Joe S from Juniper... I'd butcher his spelling, sorry joe!)

I think the arguements have gone against 'default blocking' becuase
'default for the internet' is not 'default for enterprise Z'.

-Chris

• Previous message (by thread): Bogon filtering (don't ban me)
• Next message (by thread): Bogon filtering (don't ban me)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]