nanog mailing list archives
Re: [c-nsp] [Re: huge amount of weird traffic on poin-to-point ethernet link]
From: "Robert E. Seastrom" <rs () seastrom com>
Date: Thu, 09 Nov 2006 18:43:50 -0500
Niels Bakker <niels=nanog () bakker net> writes:
* rs () seastrom com (Robert E. Seastrom) [Thu 09 Nov 2006, 16:02 CET]: [..]Steve's 100% spot-on here. I don't have bogon filters at all and it hasn't hurt me in the least. I think the notion that this is somehow a good practice needs to be quashed.Yeah! This "Principle of minimal privilege" is totally not applicable to real, live networks...
I'm not sure what principle of minimal privilege has to do with filtering addresses that are known unissued. Seems to me that the principle of minimal privilege would allow connections only from addresses from which you are specifically expecting them, not from "the internet at large minus a few blocks that aren't issued". Particularly in the case of spam abatement, where the vast majority of spam comes from compromised Windows hosts (which are probably *not* residing on unissued space), I can't see the point. We could get into some kind of meta-discussion about DoS attacks and the like, but at that point you probably want your upstream doing the filtering for you before it clogs your links. Bottom line: my gut feeling is that the threat that unissued "bogon" space poses pales in comparison to the Bad Neighborhood that is the Internet. I would welcome a pointer to some kind of actual research that shows this to be incorrect. Of course, bogon filtering is a fine security blanket for those whose scope of knowledge is not sufficient to perform a meaningful threat/risk assessment. As for me, I prefer to rivet horseshoes (open end up, to catch the good luck falling from above) to the cable tray above my racks. Oh yeah, religiously adhering to BCP-38 as well, that brings luck too. ---Rob
Current thread:
- RE: [c-nsp] [Re: huge amount of weird traffic on poin-to-point ethernet link], (continued)
- RE: [c-nsp] [Re: huge amount of weird traffic on poin-to-point ethernet link] Donald Stahl (Nov 09)
- RE: [c-nsp] [Re: huge amount of weird traffic on poin-to-point ethernet link] Justin M. Streiner (Nov 09)
- Re: [c-nsp] [Re: huge amount of weird traffic on poin-to-point ethernet link] steve (Nov 09)
- Re: [c-nsp] [Re: huge amount of weird traffic on poin-to-point ethernet link] Robert Boyle (Nov 09)
- Re: [c-nsp] [Re: huge amount of weird traffic on poin-to-point ethernet link] steve (Nov 10)
- Re: [c-nsp] [Re: huge amount of weird traffic on poin-to-point ethernet link] Michael . Dillon (Nov 10)
- Re: [c-nsp] [Re: huge amount of weird traffic on poin-to-point ethernet link] Stephen Wilcox (Nov 10)
- Re: [c-nsp] [Re: huge amount of weird traffic on poin-to-point ethernet link] Robert E. Seastrom (Nov 09)
- Re: [c-nsp] [Re: huge amount of weird traffic on poin-to-point ethernet link] Deepak Jain (Nov 09)
- Re: [c-nsp] [Re: huge amount of weird traffic on poin-to-point ethernet link] Niels Bakker (Nov 09)
- Re: [c-nsp] [Re: huge amount of weird traffic on poin-to-point ethernet link] Robert E. Seastrom (Nov 09)
- Re: [c-nsp] [Re: huge amount of weird traffic on poin-to-point ethernet link] Michael . Dillon (Nov 10)
- Re: [c-nsp] [Re: huge amount of weird traffic on poin-to-point ethernet link] Tony Finch (Nov 10)
- Re: [c-nsp] [Re: huge amount of weird traffic on poin-to-point ethernet link] Michael . Dillon (Nov 10)
- Re: [c-nsp] [Re: huge amount of weird traffic on poin-to-point ethernet link] Stephen Wilcox (Nov 10)
- Re: [c-nsp] [Re: huge amount of weird traffic on poin-to-point ethernet link] Michael . Dillon (Nov 10)
- Message not available
- Re: [c-nsp] [Re: huge amount of weird traffic on poin-to-point ethernet link] steve (Nov 09)