RE: Please Check Filters - BOGON Filtering IP Space 72.14.128.0/19
As someone who used to "do" a great deal of managed network services, I can certainly attest to that. - ferg -- "Christopher L. Morrow" <christopher.morrow@mci.com> wrote: On Thu, 20 Jan 2005, James Laszko wrote:
Well, if the router CAN run BGP, the feed from Cymru is only about 84 prefixes - not a lot of memory tied up there, is there?
my point was that not all managed routers, the majority actually, can't and don't run BGP. their code doesn't even support bgp... -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg@netzero.net or fergdawg@sbcglobal.net
Well, if the router CAN run BGP, the feed from Cymru is only about 84 prefixes - not a lot of memory tied up there, is there?
Not a very wise solution. If hundreds of thousands of routers take this feed from Cymru, then it won't be long before someone attacks Cymru in order to control the feed. And given the upsurge in criminal activity related to network abuse, the danger to Cymru is not just from network exploits. The principals could find themselves looking at a gun barrel in their face with their families held hostage. It is very unwise to push people towards creating a new single point of failure (or single attack point) in the Internet.
my point was that not all managed routers, the majority actually, can't and don't run BGP. their code doesn't even support bgp...
Thankfully this is true. However, the majority of managed routers are managed by servers/workstations which *ARE* capable of running BGP as well as scripts to compare ACLS and alert staff when inconsistencies are discovered. The prudent course of action is to encourage people to take the Cymru feed into their *management systems* and use that feed to vet their current ACLs or BGP filters. This extra layer of indirection actually strengthens the system and protects Cymru from becoming too important. --Michael Dillon
participants (2)
-
Fergie (Paul Ferguson)
-
Michael.Dillon@radianz.com