Where are static bogon filters appropriate? was: 126.96.36.199/16 Bogons
dts at senie.com
Fri Mar 2 22:34:24 UTC 2007
At 04:18 PM 3/2/2007, Sean Donelan wrote:
>On Fri, 2 Mar 2007, Roland Dobbins wrote:
>>>Sometimes, network operators have to take the bull
>>>by the horns and develop their own systems to do a job that vendors
>>>simply don't understand.
>>Concur - but it seems that many seem to be looking for someone else
>>to do this for them (or, perhaps, the lack of someone to do it for
>>them as an excuse to do nothing at all).
>How much of a problem is traffic from unallocated
>addresses? Backbone operators probably have NetFlow data which they
>could mine to find out.
>On the other hand, how much of a problem is obsolete bogon filters causing
>everytime IANA delegates another block to an RIR?
>Or by the way, how much spoofed traffic uses allocated addresses?
How do you know, if you're the one being attacked and you have no
idea if the originating network or their immediate upstream
implemented BCP38? Shall we just discard ingress filtering? If few
attacks are using it today, should we declare it no longer relevant?
At the same time we should ask if we should be x-raying shoes at the
airport, since there's only been one guy who tried to blow up his
shoes. The larger security question is, "do you stop looking for old
threats simply because they're not the most common threats?" How many
CodeRed packets flow over the Internet on a typical day? I assure you
it's not zero.
The initial drafts of the document that became BCP38 were written 10
1/2 years ago, triggered by a serious problem of spoof-based attacks
that were causing serious problems including serious interruption of
services. The problem had a solution, but one that required
cooperation among networks. The operation of the entire Internet
required cooperation among networks. I don't know to what degree any
sense of cooperation is left these days. Probably won't matter when
Google or ATT take over the whole thing. In the mean time, the
presence of an ACL line or two at the border of each edge network is
NOT a significant burden. Yes, Cisco and others have implemented uRPF
that can do the same thing with a bit less typing in some cases. I
really don't care which mechanism is used. I do care when my network
is hammered with packets. When I send reports to other networks and
they can't be sure the packets came from their networks, that's not helpful.
So there, that's my rant about why we might all want to try and keep
the 'net a cooperative place, and a bit about how ingress filtering
continues to play a part in that cooperation.
This is pretty far from the topic of the bogon list issue with 96/8 though.
More information about the NANOG