BGP hijack from 23724 -> 4134 China?
Danny McPherson
danny at tcb.net
Fri Apr 9 04:05:23 UTC 2010
On Apr 8, 2010, at 8:35 PM, Brielle Bruns wrote:
>
> More harm then good is a matter of opinion. Denying all of mainland China reduces the amount of attacks on my network. If you consider that masking security problems rather then fixing them, then *shrugs*. Its just one of many layers. It also allows me to make and enforce the statement that I will not tolerate the bullshit China pulls.
FWIW, I get it - folks are surely going to implement local security
policies that are first aligned with corporate [and national] security
objectives.
My concern is that if people think bogon filters break stuff, just wait
until a couple thousand networks start selectively filtering countries
based on some notion of geoIP mappings (e.g., CN today, KP and IR
tomorrow, etc..), when in many cases prefixes span lots of national
boundaries (as do many ASNs) - the Internet will continue to fragment
and brokenness will result.
As an example of how such network filtering policies might well become
an operational problem consider a client using Online Certificate Status
Protocol (OCSP) with X.509 digital certificates before setting up a secure
connection to a web server somewhere in Asia (the server itself may well
NOT be inside of China). The client, wanting to inquire as to the state
(revocation status) of a particular certificate generated by that CNNIC
CA embedded in their Firefox client, reaches out to an OCSP server that's
authoritative for the cert - in this case CNNIC. Unfortunately, CNNIC,
which primarily resides within 218.241.0.0/16, isn't reachable because
of this entry in your ACL:
access-list 199 deny ip 218.240.0.0 0.7.255.255 any
Now, whether you or any of the users on your network choose to leave that
CNNIC CA (or others) enabled in your client is a separate issue, but
default drop policies such as you're recommending can certainly result
in some collateral damage that can be very tedious to debug, and possibly
even broaden attack surfaces themselves.
I'm not particularly a fan of bogon filters for reasons outlined here
and elsewhere many times before - and bogon addresses theoretically
don't have live clients and servers folks might be legitimately be
transacting with.
-danny
More information about the NANOG
mailing list