This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/[email protected]/
[ncc-services-wg] Re: [address-policy-wg] New Draft Document: De-boganising New AddressBlocks
- Previous message (by thread): [address-policy-wg] New Draft Document: De-boganising New AddressBlocks
- Next message (by thread): [address-policy-wg] New Draft Document: De-boganising New AddressBlocks
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Jørgen Hovland
jorgen at hovland.cx
Wed Feb 25 22:23:48 CET 2004
Hi On Wed, 25 Feb 2004, Andre Oppermann wrote: > Rob Thomas wrote: > > > > Hi, team. > > > > ] Andre is right, the best solution is definitely not to filter bogons. > > > > Best solution for what problem, exactly? :) > > That is the biggest question. It seems to be a moving target. The > first problem mentioned was nasty spammers announcing prefixes from > IANA reserved netblocks. Now you open a second one with stating that > address spoofing from bogon ranges is a problem. > > > Bogon filtering does help, though it can be accomplished in a variety > > of ways (e.g. bogon route-servers, ACLs, uRPF with prefix filtering). > > Positive bogon filtering is exactly the wrong thing to do. It simply > doesn't scale. You don't want to get packets with non-routed source > addresses. This again is very much different from bogons. There are > many prefixes out of the allocated netblocks which are not routed in > the global routing system. The only real fix you apply here is to > check the source address of a packet if it is routeable. If not, just > drop it. That alone is saving you any traffic from any kind of bogus > prefix or netblock. And the best of it is it automagically takes care > of adjusting to new netblocks without any operator invention! > There are actually some people here doing exactly that: Sending packets with an unroutable source-ip - with totally "legit" reasons. It's bad enough that people actually use bogon-filters for reserved blocks when it after my oppinion should be limited to unallocated blocks (for traffic blocking, not routes). You simply don't block anyones ip-range just because it isn't routable. Blocking traffic is a security concern (still after my oppinion). Internet was probably designed for bi-directional communication, but it doesn't mean you should ban one-way communication. > Summary: Bogon filtering based on the IANA reserved listings is very > much bogus in itself. > The problem with any list is that you have to maintain it. Many people don't do that. The general solution could be to stop using bogon filters at all? I have seen it too, spammers advertising unallocated prefixes. Don't have a routing-based solution to that. Spammers could might as well announce an allocated block already routed or not. That's something to think about! Joergen Hovland ENK
- Previous message (by thread): [address-policy-wg] New Draft Document: De-boganising New AddressBlocks
- Next message (by thread): [address-policy-wg] New Draft Document: De-boganising New AddressBlocks
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]