RFC6598 100.64/10: to bogon or not to bogon (team-cymru et all)

• Previous message (by thread): RFC6598 100.64/10: to bogon or not to bogon (team-cymru et all)
• Next message (by thread): RFC6598 100.64/10: to bogon or not to bogon (team-cymru et all)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Dear team,

I’ve already reached out to Lukas directly, but I’ll kibitz a bit:

> They talk about bogon prefixes "for hosts", provide configuration
> examples for Cisco ASA firewalls,
> 
> Which are perfectly valid use cases for some networks / situations.

Indeed!  There was a time early in the life of the bogon lists where folks requested host-based and firewall-based filter examples.  This was because these were their AS-border devices, e.g. host-based routers and firewalls, and hardware firewalls.  I don’t remember writing a Cisco ASA example, but that was a long time ago.  :)

Be well,
Rabbi Rob.


> 
> 
> On Tue, Mar 7, 2023 at 6:35 PM Lukas Tribus <lukas at ltri.eu> wrote:
> On Wed, 8 Mar 2023 at 00:05, William Herrin <bill at herrin.us> wrote:
> > Hi Lukas,
> >
> > If you're using the team cymru bogon list at your customer border,
> > you're doing it wrong.
> 
> I'm not.
> 
> I'm trying to educate people that bogon lists do not belong on hosts,
> firewalls or intermediate routers, despite Team-cymru's aggressive
> marketing of the opposite, quote:
> 
> > THE BOGON REFERENCE
> >
> > *A bogon prefix should never appear in the Internet routing table*.
> > Team Cymru’s Bogon Reference provides several resources for
> > the filtering of bogon prefixes from your routers *and hosts*.
> 
> 
> > A bogon prefix is a route that should never appear in the Internet
> > routing table. A packet routed over the public Internet (not including
> > over VPNs or other tunnels) *should never have an address in a
> > bogon range.* These are commonly found as the source addresses
> > of DDoS attacks.
> 
> They either have to make it clear what their bogon list can actually
> be used for or they need to drop RFC6598 from the list.
> 
> They talk about bogon prefixes "for hosts", provide configuration
> examples for Cisco ASA firewalls, at the same time they include
> RFC6598 in the list and it's marketing material suggests it can be
> used for everything.
> 
> 
> You can't have it both ways. Either you provide a list of prefixes to
> be dropped on autonomous system borders *and make that clear* or you
> provide a list of prefixes that can be dropped in all systems.
> 
> 
> 
> Lukas

—
Rabbi Rob Thomas                                                  Team Cymru
 "It is easy to believe in freedom of speech for those with whom we
  agree.”  - Leo McKern

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Message signed with OpenPGP
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20230307/a6ba7acc/attachment.sig>

• Previous message (by thread): RFC6598 100.64/10: to bogon or not to bogon (team-cymru et all)
• Next message (by thread): RFC6598 100.64/10: to bogon or not to bogon (team-cymru et all)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]