PWG> Date: Tue, 29 Jan 2008 16:39:14 -0500 PWG> From: Patrick W. Gilmore PWG> [A]re you sure you want your dynamic filters 30 or 60 minutes out PWG> of date? EBD> As opposed to infinitely out-of-date (i.e., no filters)? PWG> Frequently, yes. FPs can be more dangerous than FNs. We're dealing with more than one issue, here: * How to disseminate information (DNSLLs, AXFR, BGP, etc.) * How to act on it. I'm curious what filtering method you use that never passes a packet from a "bad" host, yet never has an outdated ACL entry that blocks a recently-cleaned host. If you present your arguments to state "don't run ACLs", fine. Your case is a wholly valid one for not filtering. If you contend that your position supports static ACLs versus dynamic -- forget it. Static filters are even more prone to bitrot. (69/8, anyone?) Why? Because static \(.*\) requires more effort than dynamic \1. Despite dynamic routing's non-instantaneous convergence, I doubt anyone here uses much static routing. Do packets ever get misdirected due to dynamic routing protocol failure? You bet. Do we poo-poo dynamic routing? Maybe, but we still decide it's the best overall approach. Once one has the information, the question is how to act on it. Proposition: Make the "Evil Bit" for real. (Hear me out...) How do people deal with spam? Some block it outright. Others tag, allowing users to decide based on a numeric score. Sometimes based on ACL (DNSBL being just one way of communicating an ACL), sometimes based on inspection. Maybe one firewall drops blacklisted traffic. Another might set the "Evil Bit". Perhaps inserting a new IP option would be useful. Or map "badness" to something like, oh... say... 802.1p priority. PWD> Depends on your network, clients, etc. Exactly. Some people use default-only routing. Others use static. People here run dynamic. All have their places. Anyone using dynamic _anything_ accepts, explicitly or implicitly, that the information may be outdated or wrong. This does not mean dynamic is invalid across the board. Ehhhh.... did I just chase a red herring? I thought we were discusing RIB/FIB methods, not whether or not anyone would want to run dynamic firewall rules. Eddy -- Everquick Internet - http://www.everquick.net/ A division of Brotsman & Dreger, Inc. - http://www.brotsman.com/ Bandwidth, consulting, e-commerce, hosting, and network building Phone: +1 785 865 5885 Lawrence and [inter]national Phone: +1 316 794 8922 Wichita ________________________________________________________________________ DO NOT send mail to the following addresses: davidc@brics.com -*- jfconmaapaq@intc.net -*- sam@everquick.net Sending mail to spambait addresses is a great way to get blocked. Ditto for broken OOO autoresponders and foolish AV software backscatter.