This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/[email protected]/
[address-policy-wg] New Draft Document: De-boganising New AddressBlocks
- Previous message (by thread): [address-policy-wg] New Draft Document: De-boganising New AddressBlocks
- Next message (by thread): [address-policy-wg] New Draft Document: De-boganising New AddressBlocks
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Rob Thomas
robt at cymru.com
Wed Feb 25 21:00:18 CET 2004
Hi, team. ] Andre is right, the best solution is definitely not to filter bogons. Best solution for what problem, exactly? :) Bogon filtering does help, though it can be accomplished in a variety of ways (e.g. bogon route-servers, ACLs, uRPF with prefix filtering). Take a peek at my study entitled "60 Days of Basic Naughtiness" for some data points on bogon address usage. <http://www.cymru.com/Presentations/60Days.zip> <http://www.cymru.com/Presentations/60Days.ppt> Others see more or less of this depending on what they host or transit. One thing we have seen in our darknet monitoring is a decrease in the use of bogon source addresses. Why? Because they are less effective (thankfully). Ah, but read on! Does this *solve* the problems of DDoS, hacking, scanning? No, of course not. The miscreants have multiple methods in their toolkits, with spoofing being only one. In fact spoofing applies to allocated and routed space as much as it applies to unallocated (aka bogon) space. What we are attempting to do is to reduce the effectiveness of one particular set of badness. Defense in depth works, and every little bit helps. Just as many folks do not rely on a single provider for Internet access, we shouldn't rely on a single method to mitigate or block malevolent flows. I love the idea of the RIRs and IANA providing the service! We at Team Cymru are happy to help them in any way towards that goal. Once those mechanisms are in place and tested, we're happy to turn down our service in deference to their authoritative service. That is a ways off, I suspect, so don't take that as a formal statement or plan. :) Thanks, Rob. -- Rob Thomas http://www.cymru.com ASSERT(coffee != empty);
- Previous message (by thread): [address-policy-wg] New Draft Document: De-boganising New AddressBlocks
- Next message (by thread): [address-policy-wg] New Draft Document: De-boganising New AddressBlocks
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]