Bogon filtering (don't ban me)

• Previous message (by thread): Bogon filtering (don't ban me)
• Next message (by thread): Bogon filtering (don't ban me)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 5-dec-04, at 19:29, Joe Maimon wrote:

> I think that a BGP mechanism to tag routes as "ignore all more 
> specifics" would solve this problem nicely. (and perhaps a whole lot 
> others -- such as needless deaggregation)

Yeah, like people who are needlessly deaggregating are going to send 
out an aggregate with this tag on it...

What you want is a way to inject filters into a box remotely with live 
updating. So this is what the vendors should build.

> As far as router vendors such as Cisco autosecure, I do not think 
> there is any way to make default access lists lossless. They should 
> step up to the plate and offer md5 by system serial number keyed 
> multihop BGP bogons in the manner of cymru. Its their responsibility.

Why?

Why should anyone bother?

Why are we even discussing this?

The whole point that started this discussion is that bogon filtering is 
HARMFUL a good part of the time. And it doesn't really do anything 
useful to begin with! You get to reject packets from dark address 
space, but:

- That's only some 40% of all address space, so you need to be able to 
deal with the other 60% anyway. Why wouldn't whatever mechanism that 
deals with the 60% be unable to deal with the additional 40%?

- (Loose) uRPF will buy you the exact same functionality and more 
without any upkeep.

• Previous message (by thread): Bogon filtering (don't ban me)
• Next message (by thread): Bogon filtering (don't ban me)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]