Bogon filtering (don't ban me)

• Previous message (by thread): Bogon filtering (don't ban me)
• Next message (by thread): Bogon filtering (don't ban me)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

william(at)elan.net wrote:

>On Sun, 5 Dec 2004, Joe Abley wrote:
>
>  
>
>>On 5 Dec 2004, at 06:50, Cliff Albert wrote:
>>
>>    
>>
>>>I have one question regarding the CYMRU bogon route-server. What good 
>>>is
>>>it if more-specific bogons are going around in the BGP table ?
>>>      
>>>
>>With OpenBSD 3.6 running pf and bgpd, you can apply a filter rule to 
>>BGP updates received from individual peers which updates a pf radix 
>>table with the network received:
>>    
>>
>
>PF and bgpd with local filter table is good when you're expecting those
>filtered ip routes to change often. 
>  
>
I dont understand this attitude. Automating everything that is safely 
automatable is the only right way to do things. Its always worth it and 
it is always good. Everyone has always professed to believe in this.

In this case this is the exact cause of the problem the thread started 
addressing: Manual updates that dont keep up.

Once upon  a time this was the argument of sendmail access database V. 
dnsbls. Once upon a time you were expected to manually update virus 
definitions. Once upon a time you were expected to etc.. the list goes on.

Every "weekly" task an admin takes on manually adds up. It may be great 
job insurance but it starts to suck quick for anyone with half a brain.

Now to throw some whacky ideas out instead of opinions.

I think that a BGP mechanism to tag routes as "ignore all more 
specifics" would solve this problem nicely. (and perhaps a whole lot 
others -- such as needless deaggregation)

As far as router vendors such as Cisco autosecure, I do not think there 
is any way to make default access lists lossless. They should step up to 
the plate and offer md5 by system serial number keyed multihop BGP 
bogons in the manner of cymru. Its their responsibility. Also good that 
it makes them eat even more of their own dogfood which is probably ill 
suited to this kind of thing.

They should ask team cymru to help them do it and give them a nice fat 
check while they are at it.

Failing that they could offer radius/tacaccs loading of that access 
list. Anything else is negligence.

And using BGP for /32 blacklist routes probably has very limited 
scalability. Any one have any relevant numbers?

Everybody who posts lists of static access lists should seriously 
consider stopping. If not that, offer an email subscription to announce 
updates.

(think I beat the S:N? --even if my S is nonsense?)

Joe

• Previous message (by thread): Bogon filtering (don't ban me)
• Next message (by thread): Bogon filtering (don't ban me)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]