On Fri, 26 Nov 2004 alex@pilosoft.com wrote:
On Thu, 25 Nov 2004, Jon Lewis wrote:
Its not even just providers. If it were, it'd be relatively easy to just find and call each NOC. You're likely to have bogon issues with few large providers. It's mostly smaller providers and end user networks...some of which are quite large or high profile.
Do what I did and give people a way to test connectivity from both affected and unaffected space and setup a 'hall of shame' page listing the IPs/networks that are behind broken filters. Can someone identify the *benefits* of using bogon lists for unallocated space? It appears that it only hurts connectivity, but does not help in any significant way to enhance security.
It might be a way to proactively keep your part of the network 'cleaner' than the other parts... 'managed' properly and 'updated' regularly (when changes dictate an update is required) it might even be seemless to your userbase. The devil here is, as always, in the details. Once you move beyond some number of devices or acls or 'parts', making changes on a wide scale and keeping things up to date becomes more difficult. Change management and the number of hands in the pot seem to make these things much more challenging.
Possibly, whoever are the vendors of software that recommends this practice (and authors of security handbooks) should be show the error of their ways?
if they did they'd lose part of their punch :( And lose some of their readerbase... and who'd call you to complain? :)