On Fri, 15 Aug 2008, Steven M. Bellovin wrote:
Martians plus 1918 space, I'd say, though that requires knowing which are border interfaces.
Whether you include or exclude rfc1918 addresses is another issue. Whack the martians first :-) Unfortunately, enough ISPs use rfc1918 addresses on their backbone links filtering rfc1918 also breaks traceroute (* * *) and people use rfc1918 internally enough that rfc1918 requires more professional thought about configuring those filters.
From an operational perspective, whacking martians has fewer caveats for amateur network operators or default equipment configuration settings.
Other than that, I agree 100% -- bogon filters have little security relevance for most sites. Furthermore, as the allocated address space increases, the percentage of actual bogon space decreases and the rate of false positives -- packets that are rejected that shouldn't be -- will increase. Security? Remember that availability is a security issue, too.
Violent agreement.