On Apr 8, 2010, at 8:35 PM, Brielle Bruns wrote:
More harm then good is a matter of opinion. Denying all of mainland China reduces the amount of attacks on my network. If you consider that masking security problems rather then fixing them, then *shrugs*. Its just one of many layers. It also allows me to make and enforce the statement that I will not tolerate the bullshit China pulls.
FWIW, I get it - folks are surely going to implement local security policies that are first aligned with corporate [and national] security objectives. My concern is that if people think bogon filters break stuff, just wait until a couple thousand networks start selectively filtering countries based on some notion of geoIP mappings (e.g., CN today, KP and IR tomorrow, etc..), when in many cases prefixes span lots of national boundaries (as do many ASNs) - the Internet will continue to fragment and brokenness will result. As an example of how such network filtering policies might well become an operational problem consider a client using Online Certificate Status Protocol (OCSP) with X.509 digital certificates before setting up a secure connection to a web server somewhere in Asia (the server itself may well NOT be inside of China). The client, wanting to inquire as to the state (revocation status) of a particular certificate generated by that CNNIC CA embedded in their Firefox client, reaches out to an OCSP server that's authoritative for the cert - in this case CNNIC. Unfortunately, CNNIC, which primarily resides within 218.241.0.0/16, isn't reachable because of this entry in your ACL: access-list 199 deny ip 218.240.0.0 0.7.255.255 any Now, whether you or any of the users on your network choose to leave that CNNIC CA (or others) enabled in your client is a separate issue, but default drop policies such as you're recommending can certainly result in some collateral damage that can be very tedious to debug, and possibly even broaden attack surfaces themselves. I'm not particularly a fan of bogon filters for reasons outlined here and elsewhere many times before - and bogon addresses theoretically don't have live clients and servers folks might be legitimately be transacting with. -danny