[c-nsp] [Re: huge amount of weird traffic on poin-to-point ethernet link]

Michael.Dillon at btradianz.com Michael.Dillon at btradianz.com
Fri Nov 10 12:54:28 UTC 2006

> > The craziest stuff that gets announced isnt in the
> > reserved/unallocated realm anyway so the effort seems to be
> > disproportional to the benefits... and most issues I read about with
> > reserved space is packets coming FROM them not TO them....
> Steve's 100% spot-on here.  I don't have bogon filters at all and it
> hasn't hurt me in the least.  I think the notion that this is somehow
> a good practice needs to be quashed.

I think there is a terminology problem here. People think
that "bogons" means "bogus routes". From that they infer
that bogus routes should be filtered and use the Cymru feed
because it seems to be a no-brainer.

The problem arises because the Cymru feed only contains 
the low-hanging fruit. It only refers to address ranges
that *might* be bogus and which are easy to identify. 
The problem is that if you pick this fruit, it soon goes
rotten and you end up filtering address ranges which are
in use and almost certainly not bogus.

If there were some way to have a feed of real bogons,
i.e. address prefixes that are *KNOWN* to be bogus at
the point in time they are in the feed, that would be
useful for filtering. And it would likely be a best practice
to use such a feed.

But at the present time, such a feed does not exist.

Also, I think that anyone contemplating creating a new
feed should give some thought to what they are doing.
It would be very useful to have a feed or database which
can assign various attributes to address ranges. When there
is only one possible attribute, bogon, then the meaning 
of the attribute gets stretched and the feed becomes useless.
But if there are many attributes such as
RIR-REGISTERED then it starts to look interesting.
Some networks might like to filter based on several
attributes, others will just filter those with the 
DOS-SOURCE attribute.

Obviously, it would require lots of cooperation for
some of these such as UNASSIGNED, but perhaps the Internet
needs to move towards more cooperation between network

--Michael Dillon

More information about the NANOG mailing list