Please Check Filters - BOGON Filtering IP Space

Michael.Dillon at Michael.Dillon at
Fri Jan 21 14:38:05 UTC 2005

> > Well, if the router CAN run BGP, the feed from Cymru is only about 84
> > prefixes - not a lot of memory tied up there, is there?

Not a very wise solution. If hundreds of thousands of routers
take this feed from Cymru, then it won't be long
before someone attacks Cymru in order to control
the feed. And given the upsurge in criminal activity
related to network abuse, the danger to Cymru is not
just from network exploits. The principals could
find themselves looking at a gun barrel in their
face with their families held hostage. It is very
unwise to push people towards creating a new single
point of failure (or single attack point) in the

> my point was that not all managed routers, the majority actually, can't
> and don't run BGP. their code doesn't even support bgp...

Thankfully this is true. However, the majority
of managed routers are managed by servers/workstations
which *ARE* capable of running BGP as well as
scripts to compare ACLS and alert staff when 
inconsistencies are discovered.

The prudent course of action is to encourage 
people to take the Cymru feed into their
*management systems* and use that feed to vet
their current ACLs or BGP filters. This extra 
layer of indirection actually strengthens the
system and protects Cymru from becoming too

--Michael Dillon

More information about the NANOG mailing list