Checking bogon status of new address space

Leo Bicknell bicknell at ufp.org
Fri May 8 17:39:55 UTC 2009


In a message written on Fri, May 08, 2009 at 12:27:29PM -0500, Rob Thomas wrote:
> This is the primary reason we removed the static bogon lists from our
> Secure [BIND|IOS|BGP] Templates.  My thanks to Randy Bush (and a few
> other folks) for the suggestion.

I want to thank Team Cymru for their effort in maintaining this
list over time, it's done a lot of people a lot of good.

I would also like to recommend that it's time to completely update
the text on http://www.cymru.com/Documents/bogon-list.html to reflect
the new reality.  Looking at
http://www.cymru.com/Documents/bogon-bn-nonagg.txt (bogns, bit
notation, not aggregated) I see there are only 39 entries in the
list.  Ten of these entries are martians, and should remain:

0.0.0.0/8
10.0.0.0/8
127.0.0.0/8
169.254.0.0/16
172.16.0.0/12
192.0.2.0/24
192.168.0.0/16
198.18.0.0/15
223.0.0.0/8
224.0.0.0/3

The other 29 are the unallocated /8's:

1.0.0.0/8
2.0.0.0/8
5.0.0.0/8
14.0.0.0/8
23.0.0.0/8
27.0.0.0/8
31.0.0.0/8
36.0.0.0/8
37.0.0.0/8
39.0.0.0/8
42.0.0.0/8
46.0.0.0/8
49.0.0.0/8
50.0.0.0/8
100.0.0.0/8
101.0.0.0/8
102.0.0.0/8
103.0.0.0/8
104.0.0.0/8
105.0.0.0/8
106.0.0.0/8
107.0.0.0/8
175.0.0.0/8
176.0.0.0/8
177.0.0.0/8
179.0.0.0/8
181.0.0.0/8
182.0.0.0/8
185.0.0.0/8

29/256 = 11% of the available address space.  My argument is, if
someone is scanning you from random source addresses blocking 10%
of the scan traffic is reaching a point of very little return for
the effort of updating the address lists, and as we all know it is
getting smaller and smaller.

To that end, I believe the recommendation should be to move to a
martian-only filter over the next 12-24 months.  This lines up with
the time frame at which all /8's are likely to be allocated.  Of
course the full list of unallocated /8's should still be produced
for those who want it, I'm not advocating that anything go away,
just that I feel like we are at the point where the value of the
list is lower than the effort to maintain it for the /average/ user
of the list.

I think this is in-line with the removal of the static bogon filters
from the secure templates and would provide better advice to people
reading the document for the first time.

-- 
       Leo Bicknell - bicknell at ufp.org - CCIE 3440
        PGP keys at http://www.ufp.org/~bicknell/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 825 bytes
Desc: not available
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20090508/00bd2901/attachment.sig>


More information about the NANOG mailing list