Re: 69/8...this sucks

11 Mar 2003

      Appologies for the poor attempt at humor...  However, there
is some useful content at the end of the message.

  Essentially, I think this is one of those problems that can
never fully be solved.  Just as we will never get every last
worm-infected host off the network.

  The best that we can do is provide procedures for those who
filter on unallocated space so than can keep their
filters updated on a timely and accurate basis.

  For those who do not wish to use such procedures, we
should stridently urge them to filter only on martians,
not unallocated space.

 -Larry Blunk
  Merit
...
I agree.
-----Original Message-----
From: Rick Duff [mailto:rduff@qwest.net]
Sent: Tuesday, March 11, 2003 2:09 PM
To: 'Larry J. Blunk'; 'Andy Dills'
Cc: 'Ejay Hire'; nanog@merit.edu
Subject: RE: 69/8...this sucks
I've never posted to the list, just lurk, for over a year now, but this
has to be said. Can we please take this discussion off-list to private
conversation. It's gotten worse then spam. I see a nanog message and
just start deleting them now.
-rd
-----Original Message-----
From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of
Larry J. Blunk
Sent: Tuesday, March 11, 2003 1:01 PM
To: Andy Dills
Cc: Ejay Hire; nanog@merit.edu
Subject: Re: 69/8...this sucks
...
On Tue, 11 Mar 2003, Ejay Hire wrote:
...
Er, guys...  How does this fix the problem of a Malicious user
advertising a more specific bogon route?
Come on...clearly you haven't been paying attention.
You need LDAP filters. LDAP filters and a South Vietnamese revolution
against the IRRs for being fragmented and greedy.
Careful.  We are watching and are prepared to ruthlessly squash
any attempted rebellion.
...
And if that doesn't poison your inverse arp, then multiplex a private
bogon server with a centralized host scanner-based DNSBL. Don't forget
the
...
trailing dot! And don't forget to invert the subnet mask!
Hey, I've already thought of all that and captured it in an
XML schema (with ASN.1 encoding)!  I will be presenting an Internet
Draft next week at the IETF in the CRISP/RPSEC/GROW/IDR meetings.
Seriously...  As has been suggested, I think we need to do
a better job of identifying the population and type of devices
that are filtering these prefixes.  Are they really predominately
BGP speaking routers, or largely some mishmash of non-BGP speaking
firewalls/proxies/NAT's?
If it's the former, then a BGP based solution has some merit.
If the latter, I think it unreasonable to expect these
firewalls to speak BGP.  What's needed is a canonical
represention of the bogon list and some tools to generate
the filter list in the appropriate config format for a number
target devices.
There's already a canonical list maintained by Rob Thomas
in the RADB (see fltr-martian, fltr-unallocated, and
fltr-bogons).   I've suggested to Rob that he may want
to include a PGP signature in a remarks section of the object
to provide a greater level of confidence (hopefully with
a key that's escrowed somehow -- god forbid anything should
happen to Rob).  I should also note that some of the
RIR's have indicated they will be providing more
precise information on their unallocated space.
As far as tools go, while IRRToolSet has extensive
support for RPSL, it may be too complex for a novice
Net admin.  Perhaps some simple Perl scripts to generate
filter configs from RPSL filter objects would be useful?
Larry Blunk
 Merit

Larry J. Blunk

tags

participants (1)