North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
RE: 69/8...this sucks -- Centralizing filtering..
MS> Date: Mon, 10 Mar 2003 10:27:35 -0500 MS> From: Mark Segal MS> Since most service providers should be thinking about a sink MS> hole network for security auditing (and backscatter), why MS> not have ONE place where you advertise all unreachable, or MS> better yet -- a default (ie everything NOT learned through MS> BGP peers), and just forward the packets to a bit bucket.. MS> Which is better than an access list since, now we are MS> forwarding packets instead of sending them to a CPU to MS> increase router load. Chris Morrow and Brian Gemberling (a.k.a. dies) have some fine instructions on how to do just that. Rob Thomas has a bogon route server that comes in handy. The problem with only a default: Think when a rogue ISP decides to advertise an unused netblock and utilize that IP space for malicious purposes. A route exists... do we trust it? MS> I don't think ARIN can help the situation. ISPs just need to Probably not. Nor should they need to. Although perhaps they could allocate other netblocks, and they _do_ charge a fair amount for PI space... ;-) MS> remove the access lists from each router in the network and MS> centralize them. Now, how can we force that? Sufficient reward for doing so, or pain for failure. Evidently "some people can't reach you" isn't enough pain, and having full reachability isn't enough reward. I'm looking forward to Jon Lewis (or others) providing some stats about just how bad the problem is... being fortunate enough not to have [any clients in] 69/8 space I can't comment first-hand on the severity of the problem. Eddy -- Brotsman & Dreger, Inc. - EverQuick Internet Division Bandwidth, consulting, e-commerce, hosting, and network building Phone: +1 (785) 865-5885 Lawrence and [inter]national Phone: +1 (316) 794-8922 Wichita ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Date: Mon, 21 May 2001 11:23:58 +0000 (GMT) From: A Trap <firstname.lastname@example.org> To: email@example.com Subject: Please ignore this portion of my mail signature. These last few lines are a trap for address-harvesting spambots. Do NOT send mail to <firstname.lastname@example.org>, or you are likely to be blocked.