On Fri, 3 Dec 2004, J. Oquendo wrote:
> > > Considering the talk of banning going on, I was reluctant to post this, > anyhow, I wondered how many (if any) have ever thought about the aspect of > vendors deciding to implement some form of default bogon filtering on their > products. With all of the talk about DoS botnets, and issues surrounding > allocated address ranges (for whatever the purpose), I'm curious to know > why a vendor like Juniper, or Cisco, or whomever doesn't implement a > mechanism to automatically do the filtering. Wouldn't this minimize a vast > amount of issues surrounding DoS attacks? > > >From an admin/user perspective, I would not mind having my equipment > implement this as long as it was manageable to add/remove addresses on the > fly. Perhaps a command line syntax: > > ip bogon add add.res.s/8 > > or > > ip bogon remove add.res.s/8 > do you mean like using uRPF and null routes of the bogon/unallocated networks to drop traffic on input? cause that's already there... > I thought about it over and over, and wonder why this hasn't been done. > Any care to beat me with a clue stick or two. I can understand the it has been done... see any of the several past nanog presentations on security that Barry Greene, Tim Battles, Wayne Gustavus have given (and Joe S from Juniper... I'd butcher his spelling, sorry joe!) I think the arguements have gone against 'default blocking' becuase 'default for the internet' is not 'default for enterprise Z'. -Chris
