Re: [c-nsp] [Re: huge amount of weird traffic on poin-to-point ethernet link]

[steve () telecomplete co uk]

On Fri, Nov 10, 2006 at 01:25:05AM -0500, Robert Boyle wrote:
> At 06:58 PM 11/9/2006, you wrote:
> > automatic systems are fine if you decide you want to do them, i was 
> > specifically responding to the author who suggested he would build 
> > the filters himself, my point was that this seemingly good intention 
> > is in fact causing real operational problems on The Internet right 
> > now as anyone receiving addresses from newly allocated blocks will attest 
> > to
>
> Since I am the OP, I never said that filtering bogons was a miracle 
> cure all. If we put static bogon filters on customer routers, I would 
> agree that would be stupid and would cause maintenance and routing 
> problems. As an ISP several assignments from formerly bogon blocks, I 
> agree and understand your point. However, we are religious about 
> updating our bogon filters and we never block legitimate traffic or 
> announcements. Bogon filtering is just one thing among many which I 
> think should be done. Following BCP38 and filtering what comes in 
> from customers and transit/peer connections all help to ensure that 
> you aren't part of the problem to the community or to your own 
> clients. The original poster who I replied to stated that it appeared 
> that some traffic of unknown origin on a private address was being 
> routed across his network between routers and he didn't have any 
> routes for that network in his routing tables. My response was that 
> those announcements and traffic should be filtered at his edge. This 
> turned into a thread about whether filtering was a good thing or not 
> which in my mind is absurd. However, if you run a network and want to 
> accept traffic from bogon and RFC1918 space over your customer, 
> peering, and transit connections then that's your problem. I just 
> choose to not make it mine.

We may be talking at cross purposes...

BGP filtering using bogon lists affects the routes you receive and hence whether or not you are willing to send traffic 
TO that space.

If you want to not 'accept traffic FROM bogon and RFC1918 space' then you need to apply acls or rpf.


My issue with BGP filtering is primarily related to manually built filters, there is evidence that this practice is 
harmful. Whether automatically built filters is a good idea is up to you, the current feeling seems to be yes altho 
personally I dont implement it.

WRT acls, I would suggest any acl is a bad idea and only a dynamic system such as rpf should be used, this is because 
manual filters that deny bogons has the same issue as BGP filtering in that it can go stale and you drop newly 
allocated space. I still would advise tho that there is a lot of address space in use but ot announced on the internet, 
add to that the use of RFC1918 on internal network links and the potential to break things such as pmtu by dropping 
icmps is real. 

Steve