On Fri, 3 Dec 2004, J. Oquendo wrote:
Considering the talk of banning going on, I was reluctant to post this, anyhow, I wondered how many (if any) have ever thought about the aspect of vendors deciding to implement some form of default bogon filtering on their products. With all of the talk about DoS botnets, and issues surrounding allocated address ranges (for whatever the purpose), I'm curious to know why a vendor like Juniper, or Cisco, or whomever doesn't implement a mechanism to automatically do the filtering. Wouldn't this minimize a vast amount of issues surrounding DoS attacks?
From an admin/user perspective, I would not mind having my equipment implement this as long as it was manageable to add/remove addresses on the fly. Perhaps a command line syntax:
ip bogon add add.res.s/8
or
ip bogon remove add.res.s/8
do you mean like using uRPF and null routes of the bogon/unallocated networks to drop traffic on input? cause that's already there...
I thought about it over and over, and wonder why this hasn't been done. Any care to beat me with a clue stick or two. I can understand the
it has been done... see any of the several past nanog presentations on security that Barry Greene, Tim Battles, Wayne Gustavus have given (and Joe S from Juniper... I'd butcher his spelling, sorry joe!) I think the arguements have gone against 'default blocking' becuase 'default for the internet' is not 'default for enterprise Z'. -Chris