Best way to get of Bogon list?

• Previous message (by thread): Best way to get of Bogon list?
• Next message (by thread): Best way to get of Bogon list?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 27-nov-04, at 9:02, Christopher L. Morrow wrote:

>> I've never been a fan of bogon packet filtering (bogon route filtering
>> is more useful), but it occurs to me that it's probably better for us
>> network opertors to do this rather than have each and every firewall
>> admin do it for themselves.

> be it 'route' filtering or packet filtering' the end result is the 
> same in
> this case, eh?

Well, with uRPF you can turn route filtering into packet filtering, but 
otherwise they're different. There is nothing bad that a packet with a 
bogon source can do that a packet with a non-bogon source can't do too. 
But spammers and the like can hijack unused address space to do 
untracable nastiness if these routes aren't filtered.

> Being the internet's firewall is a dangerous proposition, ask those 
> that dropped ICMP on large backbones during welchia... :(

There are two big difference between filtering packets with bogon 
sources and firewalling in general: the bogon stuff can be done just by 
looking at the source address, and these packets never serve any useful 
purpose, so they can be filtered anywhere, anytime without problems. 
(While with ICMP some crazy people actually like to get the port 
unreachables rather than having to wait for a timeout, or for PMTUD to 
work.)

> To some extent this is correct, but these users really need to learn to
> effectively protect themselves. In the long term atleast.

Never teach a pig to sing: it wastes your time and annoys the pig.

• Previous message (by thread): Best way to get of Bogon list?
• Next message (by thread): Best way to get of Bogon list?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]