Where are static bogon filters appropriate? was: Bogons

Daniel Senie dts at senie.com
Fri Mar 2 22:34:24 UTC 2007

At 04:18 PM 3/2/2007, Sean Donelan wrote:

>On Fri, 2 Mar 2007, Roland Dobbins wrote:
>>>Sometimes, network operators have to take the bull
>>>by the horns and develop their own systems to do a job that vendors
>>>simply don't understand.
>>Concur - but it seems that many seem to be looking for someone else 
>>to do this for them (or, perhaps, the lack of someone to do it for 
>>them as an excuse to do nothing at all).
>How much of a problem is traffic from unallocated 
>addresses?  Backbone operators probably have NetFlow data which they 
>could mine to find out.
>On the other hand, how much of a problem is obsolete bogon filters causing
>everytime IANA delegates another block to an RIR?
>Or by the way, how much spoofed traffic uses allocated addresses?

How do you know, if you're the one being attacked and you have no 
idea if the originating network or their immediate upstream 
implemented BCP38? Shall we just discard ingress filtering? If few 
attacks are using it today, should we declare it no longer relevant? 
At the same time we should ask if we should be x-raying shoes at the 
airport, since there's only been one guy who tried to blow up his 
shoes. The larger security question is, "do you stop looking for old 
threats simply because they're not the most common threats?" How many 
CodeRed packets flow over the Internet on a typical day? I assure you 
it's not zero.

The initial drafts of the document that became BCP38 were written 10 
1/2 years ago, triggered by a serious problem of spoof-based attacks 
that were causing serious problems including serious interruption of 
services. The problem had a solution, but one that required 
cooperation among networks. The operation of the entire Internet 
required cooperation among networks. I don't know to what degree any 
sense of cooperation is left these days. Probably won't matter when 
Google or ATT take over the whole thing. In the mean time, the 
presence of an ACL line or two at the border of each edge network is 
NOT a significant burden. Yes, Cisco and others have implemented uRPF 
that can do the same thing with a bit less typing in some cases. I 
really don't care which mechanism is used. I do care when my network 
is hammered with packets. When I send reports to other networks and 
they can't be sure the packets came from their networks, that's not helpful.

So there, that's my rant about why we might all want to try and keep 
the 'net a cooperative place, and a bit about how ingress filtering 
continues to play a part in that cooperation.

This is pretty far from the topic of the bogon list issue with 96/8 though.

More information about the NANOG mailing list