Where are static bogon filters appropriate? was: 96.2.0.0/16 Bogons

Sun Mar 4 02:27:14 UTC 2007

On Thu, Mar 01, 2007 at 07:16:37AM -0800, Peter Thoenen wrote:
[Thoenen seems to have clipped the attribution]
> > Perhaps,  
> > bogon acls  are helpful when they are configured on backbone, but not
> > 
> > everywhere.
> 
> And if ever major backbones (read tier 2/3) would do so all us little
> guys wouldn't have to (yet for some reason I keep getting the odd hit
> in my acl logs from bogon space daily).
> 
> Yes I know they will defend this with "we sell unfiltered service"
> (which of course isn't true); I am just not convinced filtering bogon's
> would invalidate this any more than their MPLS QoS clouds do. 

There are smaller internets that are large enough that one person is not
managing all of the routers, but small enough that policy can be
"MANAGED" across all of them.  Some of these required implementation of
the bogon lists.  As they are small, this rarely changes - so when a
change to the bogon list comes, some resist this as if an article of
their faith were being challenged.  Even within the group managing the
backbone.

As I'm STILL fighting skirmishes on this front, I'm less happy about
bogon lists than I once was.

"Leaf" networks should perform egress filtering, everyone knows that now
[;-} we wish].  Service provider networks should probably filter on
connections to the "customer" networks to allow only that customer's
IPs, but on connections to "transit" networks to only eliminate the
truly "unroutable" IP addresses such as RFC 1918.

However, since it is not possible to require this or anything else on
the public Internet, except by making sure that all routers are run by
clueful people who have entered into mutual agreement to do this [sorry,
dreaming again], this is not likely to happen.

-- 
Joe Yao
-----------------------------------------------------------------------
   This message is not an official statement of OSIS Center policies.