Re: Bogon filtering

[Jeroen Massar <jeroen () unfix org>]

On Fri, 2004-12-03 at 00:53 -0500, J. Oquendo wrote:
> Considering the talk of banning going on, I was reluctant to post this,
> anyhow, I wondered how many (if any) have ever thought about the aspect of
> vendors deciding to implement some form of default bogon filtering on their
> products. With all of the talk about DoS botnets, and issues surrounding
> allocated address ranges (for whatever the purpose), I'm curious to know
> why a vendor like Juniper, or Cisco, or whomever doesn't implement a
> mechanism to automatically do the filtering. Wouldn't this minimize a vast
> amount of issues surrounding DoS attacks?

Let people first use RPF, when they are doing that we can see what the
next step is.

That next step is in the direction of what Team Cymru is doing...
redist-filter could help there a lot.

There is one thing though which is somewhat a problem with these setups,
one has to trust the source of the filters, they are technically
controlling your network, who you talk to and who not. And this little
technical issue can be a huge political issue.

I personally would really like to see a 'valid prefixes' feed from the
RIR's. Then again, the amount of 'crap' coming from un-assigned/illegal
prefixes is minimal compared to the vast DDoS nets around and for the
latter there are some solutions available if you contact the correct
people...

Greets,
 Jeroen

PS: Why would this be a 'bannable' subject? It is about _network
operations_ isn't it? And otherwise I am quite sure that the ones in
check of the rules will be so nice to point out differently, if one on
the otherhand already thinks it is a wrong subject, then why post at
all.... but that is an IMO ;)

Attachment: signature.asc
Description: This is a digitally signed message part