North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Bogon filtering (don't ban me)

  • From: Joe Maimon
  • Date: Sun Dec 05 13:31:56 2004



william(at)elan.net wrote:

On Sun, 5 Dec 2004, Joe Abley wrote:


On 5 Dec 2004, at 06:50, Cliff Albert wrote:


I have one question regarding the CYMRU bogon route-server. What good is
it if more-specific bogons are going around in the BGP table ?

With OpenBSD 3.6 running pf and bgpd, you can apply a filter rule to BGP updates received from individual peers which updates a pf radix table with the network received:

PF and bgpd with local filter table is good when you're expecting those
filtered ip routes to change often.
I dont understand this attitude. Automating everything that is safely automatable is the only right way to do things. Its always worth it and it is always good. Everyone has always professed to believe in this.

In this case this is the exact cause of the problem the thread started addressing: Manual updates that dont keep up.

Once upon a time this was the argument of sendmail access database V. dnsbls. Once upon a time you were expected to manually update virus definitions. Once upon a time you were expected to etc.. the list goes on.

Every "weekly" task an admin takes on manually adds up. It may be great job insurance but it starts to suck quick for anyone with half a brain.

Now to throw some whacky ideas out instead of opinions.

I think that a BGP mechanism to tag routes as "ignore all more specifics" would solve this problem nicely. (and perhaps a whole lot others -- such as needless deaggregation)

As far as router vendors such as Cisco autosecure, I do not think there is any way to make default access lists lossless. They should step up to the plate and offer md5 by system serial number keyed multihop BGP bogons in the manner of cymru. Its their responsibility. Also good that it makes them eat even more of their own dogfood which is probably ill suited to this kind of thing.

They should ask team cymru to help them do it and give them a nice fat check while they are at it.

Failing that they could offer radius/tacaccs loading of that access list. Anything else is negligence.

And using BGP for /32 blacklist routes probably has very limited scalability. Any one have any relevant numbers?

Everybody who posts lists of static access lists should seriously consider stopping. If not that, offer an email subscription to announce updates.

(think I beat the S:N? --even if my S is nonsense?)

Joe