Re: Please Check Filters - BOGON Filtering IP Space 72.14.128.0/19
...and it's not like ARIN, etc., does not announce to the Internet community when it allocates from address space which may have previously been listed in various operational places as "bogon" or "unalloacted" -- they do. I recall seeing similar announcements on the list from time to time, suggesting due diligence on ARIN's behalf to notifying people to modify their filtering. *plonk* Scanning the archives, an example: http://www.merit.edu/mail.archives/nanog/2004-01/msg00374.html - ferg -- Jared Mauch <jared@puck.nether.net> wrote: This hurts Ciscos reputation that they are causing pockets of the internet to not work. Next subnets to get allocated will increase the size of those pockets and so on. Then the internet will become less reliable as an end-to-end transport medium, hurting *everyone*. -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg@netzero.net or fergdawg@sbcglobal.net
Is there an RFC or other standards document that clearly states that static bogon filter lists are a bad idea? While this seems like common sense, there was just an RFC published on why IP addresses for specific purposes (like NTP) shouldn't be encoded into hardware. Using a dynamic feed needs to be codified so that it finds its way into training classes, documentation, etc. Otherwise, this problem will recur indefinitely. - Dan On 1/20/05 10:18 AM, "Fergie (Paul Ferguson)" <fergdawg@netzero.net> wrote:
...and it's not like ARIN, etc., does not announce to the Internet community when it allocates from address space which may have previously been listed in various operational places as "bogon" or "unalloacted" -- they do.
I recall seeing similar announcements on the list from time to time, suggesting due diligence on ARIN's behalf to notifying people to modify their filtering. *plonk*
Scanning the archives, an example:
http://www.merit.edu/mail.archives/nanog/2004-01/msg00374.html
- ferg
-- Jared Mauch <jared@puck.nether.net> wrote:
This hurts Ciscos reputation that they are causing pockets of the internet to not work. Next subnets to get allocated will increase the size of those pockets and so on. Then the internet will become less reliable as an end-to-end transport medium, hurting *everyone*.
-- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg@netzero.net or fergdawg@sbcglobal.net
11:02am Daniel Golding said:
Is there an RFC or other standards document that clearly states that static bogon filter lists are a bad idea? While this seems like common sense, there
Since this keeps coming up. I'll toss my quick and dirty reminder cronjob into the discussion. I cannot imagine any other way of managing the static bogons published on the Team Cymru web site. (For those of us who don't need to run their many other dynamic options.) Copying a static config wholesale is a classic case of myopic thinking. $ cat /etc/cron.monthly/ckbogons.sh #!/bin/bash bnagg=http://www.cymru.com/Documents/bogon-bn-agg.txt # make a new bogon list from the web newbog=`mktemp` || exit 1 wget -qO- $bnagg |awk '{print "any net " $1 "\treject"}' >$newbog # get current list from our static-route config oldbog=`sed -ne '/^any.*reject$/,/^$/p' /etc/sysconfig/static-routes` # commpare #echo "$oldbog" |cdiff - $newbog echo "$oldbog" |diff -uw - $newbog rm -f $newbog Obviously it's for a linux edge using Red Hat style initscripts. But the basic gist is sound; alert the admin whenever we are out of sync. And an expect script could easily be whipped up for monitoring IOS/whatever other static bogons one has installed. Admins who choose the *static* bogon list should use this technique of self-control. ../C
participants (3)
-
Curtis Doty -
Daniel Golding -
Fergie (Paul Ferguson)