On Fri, 15 Aug 2008, Robert E. Seastrom wrote:
so is there any case to be made for filtering bogons on upstream/peering ingress at all anymore?
Depends on where and how. On highly managed routers at highly managed interconnection points around the Internet, having some basic packet hygiene checks can serve as a "fire breaks" to keep the effectiveness of large scale attacks with reserved/unallocated address low. Unlike BCP38/uRPF/SAVI, it doesn't need 100% deployment; just enough to make it less attractive as an attack vector compared to other things. Even within a single provider, you might not deploy it everywhere. Maybe just between different continents or regions, depending on your hardware and operational capabilities. For highly managed routers, operational management of allocation updates is more limited because you only need to keep track of IANA changes (or use some of Team Cymru's tools) rather than figure out which peer or customer is authorized to use unallocated source addresses. Again, I think bogon filters are a bad idea for unmanaged or semi-managed routers (or inclusion as a "default" in anything, i.e. Cisco's auto-secure).
(this discussion is orthogonal to bcp38/urpf, which i think we all agree is a good thing and would be great if we could get it further deployed)
I agree.