This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/[email protected]/
[address-policy-wg] New Draft Document: De-boganising New AddressBlocks
- Previous message (by thread): [address-policy-wg] New Draft Document: De-boganising New AddressBlocks
- Next message (by thread): [ncc-services-wg] Re: [address-policy-wg] New Draft Document: De-boganising New AddressBlocks
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Rob Thomas
robt at cymru.com
Wed Feb 25 21:44:21 CET 2004
Hi, Andre. There are presently 95 bogon prefixes advertised by the bogon route-servers. That is plenty of space from which to generate spoofed source addresses. The reality is that the miscreants are seeing a lower return on the investment when spoofing from bogon prefixes. Thus they are more inclined to use routed space as the source of spoofed addresses. You can see this in much of the more popular spoofed packet generating malware. A lot of this malware specifically checks to ensure that the source addresses are not bogons, or ensures that the source addresses are in the same /16 as where the infected host resides. If the malware spoofs within its own /16, or has blocks to ensure that bogon prefixes are not used in the spoofing, suddenly "perfection" isn't so perfect. These addresses most certainly will be in the routing tables of most routers. This is why we never state that bogon filtering is the perfect answer to the problem of spoofing. ] There is absolutely no service for the RIRs or IANA to provide. You ] have got all tools you need already. If the source address is not ] routed, then don't route it. Very easy, very fast, very stable, no ] maintainance overhead, nothing that can go wrong. Just perfect. Ah, but that isn't perfect if the source address is routed when it shouldn't be. :) What if a bogon gets into the FIB of a router? One must filter to ensure that the routing table only includes legitimate prefixes. This is why I mentioned uRPF with prefix filtering in my previous note, and also why I suggested that there is more than one way to solve the problem. :) Thanks, Rob. -- Rob Thomas http://www.cymru.com ASSERT(coffee != empty);
- Previous message (by thread): [address-policy-wg] New Draft Document: De-boganising New AddressBlocks
- Next message (by thread): [ncc-services-wg] Re: [address-policy-wg] New Draft Document: De-boganising New AddressBlocks
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]