nanog mailing list archives
Re: RFC6598 100.64/10: to bogon or not to bogon (team-cymru et all)
From: Rabbi Rob Thomas <robt () cymru com>
Date: Tue, 7 Mar 2023 18:56:05 -0500
Dear team, I’ve already reached out to Lukas directly, but I’ll kibitz a bit:
They talk about bogon prefixes "for hosts", provide configuration examples for Cisco ASA firewalls, Which are perfectly valid use cases for some networks / situations.
Indeed! There was a time early in the life of the bogon lists where folks requested host-based and firewall-based filter examples. This was because these were their AS-border devices, e.g. host-based routers and firewalls, and hardware firewalls. I don’t remember writing a Cisco ASA example, but that was a long time ago. :) Be well, Rabbi Rob.
On Tue, Mar 7, 2023 at 6:35 PM Lukas Tribus <lukas () ltri eu> wrote: On Wed, 8 Mar 2023 at 00:05, William Herrin <bill () herrin us> wrote:Hi Lukas, If you're using the team cymru bogon list at your customer border, you're doing it wrong.I'm not. I'm trying to educate people that bogon lists do not belong on hosts, firewalls or intermediate routers, despite Team-cymru's aggressive marketing of the opposite, quote:THE BOGON REFERENCE *A bogon prefix should never appear in the Internet routing table*. Team Cymru’s Bogon Reference provides several resources for the filtering of bogon prefixes from your routers *and hosts*.A bogon prefix is a route that should never appear in the Internet routing table. A packet routed over the public Internet (not including over VPNs or other tunnels) *should never have an address in a bogon range.* These are commonly found as the source addresses of DDoS attacks.They either have to make it clear what their bogon list can actually be used for or they need to drop RFC6598 from the list. They talk about bogon prefixes "for hosts", provide configuration examples for Cisco ASA firewalls, at the same time they include RFC6598 in the list and it's marketing material suggests it can be used for everything. You can't have it both ways. Either you provide a list of prefixes to be dropped on autonomous system borders *and make that clear* or you provide a list of prefixes that can be dropped in all systems. Lukas
— Rabbi Rob Thomas Team Cymru "It is easy to believe in freedom of speech for those with whom we agree.” - Leo McKern
Attachment:
signature.asc
Description: Message signed with OpenPGP
Current thread:
- RFC6598 100.64/10: to bogon or not to bogon (team-cymru et all) Lukas Tribus (Mar 07)
- Re: RFC6598 100.64/10: to bogon or not to bogon (team-cymru et all) Tom Beecher (Mar 07)
- Re: RFC6598 100.64/10: to bogon or not to bogon (team-cymru et all) William Herrin (Mar 07)
- Re: RFC6598 100.64/10: to bogon or not to bogon (team-cymru et all) Lukas Tribus (Mar 07)
- Re: RFC6598 100.64/10: to bogon or not to bogon (team-cymru et all) Tom Beecher (Mar 07)
- Re: RFC6598 100.64/10: to bogon or not to bogon (team-cymru et all) Rabbi Rob Thomas (Mar 07)
- Re: RFC6598 100.64/10: to bogon or not to bogon (team-cymru et all) Lukas Tribus (Mar 08)
- Re: RFC6598 100.64/10: to bogon or not to bogon (team-cymru et all) Tom Beecher (Mar 08)
- Re: RFC6598 100.64/10: to bogon or not to bogon (team-cymru et all) Lukas Tribus (Mar 07)
- Re: RFC6598 100.64/10: to bogon or not to bogon (team-cymru et all) William Herrin (Mar 07)
- Re: RFC6598 100.64/10: to bogon or not to bogon (team-cymru et all) Lukas Tribus (Mar 08)
- Re: RFC6598 100.64/10: to bogon or not to bogon (team-cymru et all) Grant Taylor via NANOG (Mar 08)
- RE: RFC6598 100.64/10: to bogon or not to bogon (team-cymru et all) Travis Garrison (Mar 08)
- Re: RFC6598 100.64/10: to bogon or not to bogon (team-cymru et all) William Herrin (Mar 08)
- Re: RFC6598 100.64/10: to bogon or not to bogon (team-cymru et all) Mark Andrews (Mar 08)
- Re: RFC6598 100.64/10: to bogon or not to bogon (team-cymru et all) Grant Taylor via NANOG (Mar 07)
- Re: RFC6598 100.64/10: to bogon or not to bogon (team-cymru et all) Lukas Tribus (Mar 08)