Is it time to abandon bogon prefix filters?

Sean Donelan sean at donelan.com
Fri Aug 15 14:52:15 UTC 2008


On Fri, 15 Aug 2008, Steven M. Bellovin wrote:
> Martians plus 1918 space, I'd say, though that requires knowing which
> are border interfaces.

Whether you include or exclude rfc1918 addresses is another issue. Whack 
the martians first :-)

Unfortunately, enough ISPs use rfc1918 addresses on their backbone links
filtering rfc1918 also breaks traceroute (* * *) and people use rfc1918
internally enough that rfc1918 requires more professional thought about 
configuring those filters.

>From an operational perspective, whacking martians has fewer caveats for
amateur network operators or default equipment configuration settings.

> Other than that, I agree 100% -- bogon filters have little security
> relevance for most sites.  Furthermore, as the allocated address space
> increases, the percentage of actual bogon space decreases and the rate
> of false positives -- packets that are rejected that shouldn't be --
> will increase.  Security?  Remember that availability is a security
> issue, too.

Violent agreement.




More information about the NANOG mailing list