Is it time to abandon bogon prefix filters?

Tomas L. Byrnes tomb at byrneit.net
Sat Aug 16 12:58:02 CDT 2008


In the case of routers and firewalls, managing your block lists
dynamically is akin to checking the oil. Which is something too few car
owners do as well.

It's also relatively easy to do:

<shameless plug>
For firewalls, I came up with ThreatSTOP to make this simple for
everyone.
</shameless plug>

Team Cymru has been doing this for routers forever.


> -----Original Message-----
> From: Sean Donelan [mailto:sean at donelan.com] 
> Sent: Friday, August 15, 2008 10:07 AM
> To: Steven M. Bellovin
> Cc: NANOG list
> Subject: Re: Is it time to abandon bogon prefix filters?
> 
> On Fri, 15 Aug 2008, Steven M. Bellovin wrote:
> >> and i am saying that you should use a router configuration 
> *system* 
> >> that avoids ticking time bombs.  no router should be neglected and 
> >> unloved.
> >>
> > That, I think, is why he distinguished between routers run 
> by "highly 
> > clueful people" and routers run by others.  I think we all agree on 
> > your basic point; it's just that too many people aren't 
> clueful enough 
> > to realize that they even have a problem, let alone know 
> how to solve 
> > it.  (Of course, you and I both have a background in programming 
> > languages and compilers, which is why we naturally think of router 
> > configurations as a form of assembler language that only a compiler 
> > should every emit.)
> 
> 
> To avoid people feeling individually insulted, I sometimes 
> try to distinguish between the purposes of equipment rather 
> than the capabilities of the person maintaining it.
> 
> A NASCAR racing team may perform extensive monitoring and 
> maintenance on their racing cars; but that doesn't mean I 
> should need a team of 5 mechanics to keep my regular street 
> car operating safely with a few idiot lights on the dashboard.
> 
> 
> 




More information about the NANOG mailing list