Best practices inquiry: filtering 128/1

Sometimes earlier this year someone announced this 128/1 and caused heavy loading to our routers to rebuild the CEF. Would anyone filter out this route (and other similar routes such as 0/1, 128/1, 0/2, 64/2, .... up to /4, for example) as bogus routes? Thanks. --yf

On Jul 10, 2006, at 9:48 PM, WONG, Yuen-Fung wrote:
Sometimes earlier this year someone announced this 128/1 and caused heavy loading to our routers to rebuild the CEF. Would anyone filter out this route (and other similar routes such as 0/1, 128/1, 0/2, 64/2, .... up to /4, for example) as bogus routes?
Would anyone not filter those routes? Why wouldn't you filter to /7? Actually, I take that back. Why wouldn't you just get a feed from Cymru <http://www.cymru.com/Bogons/index.html> ?? -- TTFN, patrick

Actually, I take that back. Why wouldn't you just get a feed from Cymru <http://www.cymru.com/Bogons/index.html> ??
Because you fear that their routers that distribute the feed could become own3d and used to cause a massive DoS by filtering out some networks? You asked. And I use their route feed. :-) I figure it a problem occurs, 1)I won't be the only one that has that problem 2)I'll hear about it on NANOG. I figure the minute risk is worth the convenience....the chances of their routers getting 0wn3d are probably about the same as my routers getting 0wn3d. The chances of it happening aren't zero, but probably pretty small. Enough so that it sure beats editing the BOGON list manually! -Jerry

On Jul 10, 2006, at 10:56 PM, Jerry Pasker wrote:
Actually, I take that back. Why wouldn't you just get a feed from Cymru <http://www.cymru.com/Bogons/index.html> ??
Because you fear that their routers that distribute the feed could become own3d and used to cause a massive DoS by filtering out some networks?
Then use the static list, just be sure to update it frequently.
You asked. And I use their route feed. :-)
I figure it a problem occurs, 1)I won't be the only one that has that problem 2)I'll hear about it on NANOG.
I figure the minute risk is worth the convenience....the chances of their routers getting 0wn3d are probably about the same as my routers getting 0wn3d. The chances of it happening aren't zero, but probably pretty small. Enough so that it sure beats editing the BOGON list manually!
I'd guess the Cymru team is less likely to be hax0r'ed. But that's just 'cause I'm afraid of them. (Especially if Rob's had coffee recently. Which means I'm always afraid of them. :) -- TTFN, patrick

I'd guess the Cymru team is less likely to be hax0r'ed. But that's just 'cause I'm afraid of them. (Especially if Rob's had coffee recently. Which means I'm always afraid of them. :)
Muahaha! :) -- Rob Thomas Team Cymru http://www.cymru.com/ ASSERT(coffee != empty);

On Mon, 10 Jul 2006 21:56:27 -0500 Jerry Pasker <jerry@jerry.org> wrote:
Because you fear that their routers that distribute the feed could become own3d and used to cause a massive DoS by filtering out some networks?
Someone in the NANOG community, I forget who now, had the sensible suggestion that you create a filter list based on the bogon list at the time you setup your feed. You use that to limit what you will accept from Cymru. Since bogon blocks will only get allocated, the worst that could happen is the breaking of a recently allocated bogon network. Even if you don't update your filter list for the next 5 years the damage is likely to be minimal. John

* Patrick W. Gilmore:
Actually, I take that back. Why wouldn't you just get a feed from Cymru <http://www.cymru.com/Bogons/index.html> ??
I don't think Team Cymru offers a "feed" of what is supposed to be in the routing table. 128/1 isn't a bogon. It's not even that useful for hijacking adress space. The correct approach would be to verify prefixes using somewhat indepedent. more static data, such as RPSL data from RIRs. The old blacklist vs. whitelist discussoin. (I know that creating a useful whitelist is a huge tsak.)

On 11-Jul-2006, at 02:06, Florian Weimer wrote:
* Patrick W. Gilmore:
Actually, I take that back. Why wouldn't you just get a feed from Cymru <http://www.cymru.com/Bogons/index.html> ??
I don't think Team Cymru offers a "feed" of what is supposed to be in the routing table.
No, but they offer a feed of what is not supposed to be there. http://www.cymru.com/BGP/bogon-rs.html
The correct approach would be to verify prefixes using somewhat indepedent. more static data, such as RPSL data from RIRs.
That might be more correct in theory, but in practice it depends on RPSL data stored by RIRs being accurate. Although this is a reasonable dependency in some corners of the network, it's entirely impractical (on its own) if you're seeking to filter a full table. As one of many contributing hints to whether a particular filter is worth accepting, it might be useful though (along the lines that SpamAssassin doesn't necessarily reply on any one reason to brand a message as spam, but builds a score based on all kinds of tests). There was a relevant presentation in LA: http://www.nanog.org/mtg-0510/deleskie.html Joe

On Tue, 11 Jul 2006, WONG, Yuen-Fung wrote:
Sometimes earlier this year someone announced this 128/1 and caused heavy loading to our routers to rebuild the CEF. Would anyone filter out this route (and other similar routes such as 0/1, 128/1, 0/2, 64/2, .... up to /4, for example) as bogus routes?
Do you not prefix-list customers? That'd have solved this, eh?
participants (8)
-
Christopher L. Morrow
-
Florian Weimer
-
Jerry Pasker
-
Joe Abley
-
John Kristoff
-
Patrick W. Gilmore
-
Rob Thomas
-
WONG, Yuen-Fung