Niels Bakker <niels=nanog@bakker.net> writes:
* rs@seastrom.com (Robert E. Seastrom) [Thu 09 Nov 2006, 16:02 CET]: [..]
Steve's 100% spot-on here. I don't have bogon filters at all and it hasn't hurt me in the least. I think the notion that this is somehow a good practice needs to be quashed.
Yeah! This "Principle of minimal privilege" is totally not applicable to real, live networks...
I'm not sure what principle of minimal privilege has to do with filtering addresses that are known unissued. Seems to me that the principle of minimal privilege would allow connections only from addresses from which you are specifically expecting them, not from "the internet at large minus a few blocks that aren't issued". Particularly in the case of spam abatement, where the vast majority of spam comes from compromised Windows hosts (which are probably *not* residing on unissued space), I can't see the point. We could get into some kind of meta-discussion about DoS attacks and the like, but at that point you probably want your upstream doing the filtering for you before it clogs your links. Bottom line: my gut feeling is that the threat that unissued "bogon" space poses pales in comparison to the Bad Neighborhood that is the Internet. I would welcome a pointer to some kind of actual research that shows this to be incorrect. Of course, bogon filtering is a fine security blanket for those whose scope of knowledge is not sufficient to perform a meaningful threat/risk assessment. As for me, I prefer to rivet horseshoes (open end up, to catch the good luck falling from above) to the cable tray above my racks. Oh yeah, religiously adhering to BCP-38 as well, that brings luck too. ---Rob