Is it time to abandon bogon prefix filters?
sean at donelan.com
Fri Aug 15 09:52:15 CDT 2008
On Fri, 15 Aug 2008, Steven M. Bellovin wrote:
> Martians plus 1918 space, I'd say, though that requires knowing which
> are border interfaces.
Whether you include or exclude rfc1918 addresses is another issue. Whack
the martians first :-)
Unfortunately, enough ISPs use rfc1918 addresses on their backbone links
filtering rfc1918 also breaks traceroute (* * *) and people use rfc1918
internally enough that rfc1918 requires more professional thought about
configuring those filters.
>From an operational perspective, whacking martians has fewer caveats for
amateur network operators or default equipment configuration settings.
> Other than that, I agree 100% -- bogon filters have little security
> relevance for most sites. Furthermore, as the allocated address space
> increases, the percentage of actual bogon space decreases and the rate
> of false positives -- packets that are rejected that shouldn't be --
> will increase. Security? Remember that availability is a security
> issue, too.
More information about the NANOG