The whole point that started this discussion is that bogon filtering is
HARMFUL a good part of the time.
This may be so, but there are things that you
can do with an up to date bogon feed other
than filtering. That's why I suggested that
BGP may not be the best form for the feed but
for some
Just thinking out loud, but is there any reason that this
route-server methodology couldn't be applied to other 'undesirable'
destinations, such as the world's top spammers, phishing web sites, etc?
Maybe break them up into different communities, so subscribers can pick
which ones they
On Dec 6, 2004, at 6:30 AM, [EMAIL PROTECTED] wrote:
The point is that the bogon feed doesn't
need to be hooked directly into your routers.
This is what Patrick Gilmore does, i.e.
he takes the bogon feed into a managenment
system, generates an ACL and then periodically
applies the ACL to his
On Sat, Dec 04, 2004 at 06:22:00PM -0600, Rob Thomas wrote:
] I do as well, but does this scale? Can Team CYMRU handle 2,000 BGP
] sessions? 20K? 200K? -Hank
We can handle quite a lot of sessions, and already do, thanks to
the distributed nature of the Bogon route-server project. We
=0x4371A48D
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Rob Thomas
Sent: Saturday, December 04, 2004 7:22 PM
To: NANOG
Subject: RE: Bogon filtering (don't ban me)
Hi, Hank.
] I do as well, but does this scale? Can Team CYMRU handle 2,000 BGP
On 5 Dec 2004, at 06:50, Cliff Albert wrote:
I have one question regarding the CYMRU bogon route-server. What good
is
it if more-specific bogons are going around in the BGP table ?
With OpenBSD 3.6 running pf and bgpd, you can apply a filter rule to
BGP updates received from individual peers
On Sun, 5 Dec 2004, Joe Abley wrote:
On 5 Dec 2004, at 06:50, Cliff Albert wrote:
I have one question regarding the CYMRU bogon route-server. What good
is
it if more-specific bogons are going around in the BGP table ?
With OpenBSD 3.6 running pf and bgpd, you can apply a filter
On Sun, 5 Dec 2004, william(at)elan.net wrote:
On Sun, 5 Dec 2004, Joe Abley wrote:
On 5 Dec 2004, at 06:50, Cliff Albert wrote:
I have one question regarding the CYMRU bogon route-server. What good
is
it if more-specific bogons are going around in the BGP table ?
With
william(at)elan.net wrote:
On Sun, 5 Dec 2004, Joe Abley wrote:
On 5 Dec 2004, at 06:50, Cliff Albert wrote:
I have one question regarding the CYMRU bogon route-server. What good
is
it if more-specific bogons are going around in the BGP table ?
With OpenBSD 3.6 running pf and
On Sun, Dec 05, 2004 at 12:36:08PM -0600, Rob Thomas wrote:
] I have one question regarding the CYMRU bogon route-server. What good is
] it if more-specific bogons are going around in the BGP table ?
At present, none. We have feature requests into some major router
vendors to make this
On Sun, 5 Dec 2004, Joe Maimon wrote:
PF and bgpd with local filter table is good when you're expecting those
filtered ip routes to change often.
I dont understand this attitude. Automating everything that is safely
automatable is the only right way to do things. Its always worth it
Cliff Albert wrote:
On Sun, Dec 05, 2004 at 12:41:32PM -0500, Joe Abley wrote:
I have one question regarding the CYMRU bogon route-server. What good
is it if more-specific bogons are going around in the BGP table ?
With OpenBSD 3.6 running pf and bgpd, you can apply a filter rule to
BGP updates
On 5-dec-04, at 19:29, Joe Maimon wrote:
I think that a BGP mechanism to tag routes as ignore all more
specifics would solve this problem nicely. (and perhaps a whole lot
others -- such as needless deaggregation)
Yeah, like people who are needlessly deaggregating are going to send
out an
Hi, NANOGers.
] - That's only some 40% of all address space, so you need to be able to
] deal with the other 60% anyway. Why wouldn't whatever mechanism that
] deals with the 60% be unable to deal with the additional 40%?
In a study of one oft' scanned and attacked site, we found that
66.85% of
On Sun, Dec 05, 2004 at 07:38:06PM +0100, Cliff Albert wrote:
On Sun, Dec 05, 2004 at 12:36:08PM -0600, Rob Thomas wrote:
] I have one question regarding the CYMRU bogon route-server. What good is
] it if more-specific bogons are going around in the BGP table ?
At present, none. We
On Sun, 5 Dec 2004, Rob Thomas wrote:
Hi, NANOGers.
Hello,
] - That's only some 40% of all address space, so you need to be able to
] deal with the other 60% anyway. Why wouldn't whatever mechanism that
] deals with the 60% be unable to deal with the additional 40%?
In a study of one
On Sun, 5 Dec 2004, Jørgen Hovland wrote:
Blocking bogons will result in that attackers use existing netblocks
instead. This will again result in more insecureness since any attack will
If the people making attack code would stay out of 224.0.0.0/4 space (both
for dest and src) it would be a
On Dec 5, 2004, at 3:08 PM, Mikael Abrahamsson wrote:
On Sun, 5 Dec 2004, Jørgen Hovland wrote:
Blocking bogons will result in that attackers use existing netblocks
instead. This will again result in more insecureness since any attack
will
If the people making attack code would stay out of
On 5-dec-04, at 20:03, Rob Thomas wrote:
] - That's only some 40% of all address space, so you need to be able
to
] deal with the other 60% anyway. Why wouldn't whatever mechanism that
] deals with the 60% be unable to deal with the additional 40%?
In a study of one oft' scanned and attacked
On 5 Dec 2004, at 13:31, william(at)elan.net wrote:
On Sun, 5 Dec 2004, william(at)elan.net wrote:
On Sun, 5 Dec 2004, Joe Abley wrote:
With OpenBSD 3.6 running pf and bgpd, you can apply a filter rule to
BGP updates received from individual peers which updates a pf radix
table with the network
Just thinking out loud, but is there any reason that this
route-server methodology couldn't be applied to other 'undesirable'
destinations, such as the world's top spammers, phishing web sites,
etc? Maybe break them up into different communities, so subscribers
can pick which ones
On 5-dec-04, at 22:06, Cliff Albert wrote:
So filtering at the /8 level as in the document linked above isn't
really going to buy you much in practice.
/8 le /32 still stands for /8 and more-specifics as I remember ? :)
You don't say... What will they come up with next??
My point is that if
On Sun, 5 Dec 2004, Rob Thomas wrote:
In a study of one oft' scanned and attacked site, we found that
66.85% of the source IPs were bogon (RFC1918, unallocated, etc.).
You can read about it at the following URL:
http://www.cymru.com/Presentations/60days.ppt
One of the more annoying
Hi, Sean.
] Unless you are a professional router driver, using Team Cymru's
] suggested router configuration will hurt most average users. Which is
] a problem because a lot of the Team Cymru recommendations are good
] router hygenie. But I can't in good faith recommend people use the Team
]
Hi, Hank.
] I do as well, but does this scale? Can Team CYMRU handle 2,000 BGP
] sessions? 20K? 200K? -Hank
We can handle quite a lot of sessions, and already do, thanks to
the distributed nature of the Bogon route-server project. We
have several routers deployed, and are prepared to
On Fri, 2004-12-03 at 09:23 +0200, Hank Nussbacher wrote:
In Ciscoland its called Autosecure (IOS 12.3):
http://www.cisco.com/warp/public/cc/pd/iosw/prodlit/cas11_ds.htm
Blocks all IANA reserved IP address blocks
The actual doc:
--- J. Oquendo [EMAIL PROTECTED] wrote:
I thought about it over and over, and wonder why
this hasn't been done.
Any care to beat me with a clue stick or two. I can
understand the
arguments of not wanting a vendor to have control of
some aspect of my
business, or control over my network,
; [EMAIL PROTECTED]
Subject: Re: Bogon filtering (don't ban me)
--- J. Oquendo [EMAIL PROTECTED] wrote:
I thought about it over and over, and wonder why this hasn't been
done.
Any care to beat me with a clue stick or two. I can understand the
arguments of not wanting a vendor to have
On Fri, 3 Dec 2004, Hank Nussbacher wrote:
Blocks all IANA reserved IP address blocks
The actual doc:
http://niatec.info/mediacontent/cisco/media/targets/resources_mod07/7_1_2_AutoSecure.pdf
Surprise, surprise. The examples in that document are already out of date
and filtering as bogons
On Fri, 3 Dec 2004, Hank Nussbacher wrote:
Blocks all IANA reserved IP address blocks
The actual doc:
http://niatec.info/mediacontent/cisco/media/targets/resources_mod07/7_1_2_AutoSecure.pdf
Surprise, surprise. The examples in that document are already out of date
and filtering as bogons
Considering the talk of banning going on, I was reluctant to post this,
anyhow, I wondered how many (if any) have ever thought about the aspect of
vendors deciding to implement some form of default bogon filtering on their
products. With all of the talk about DoS botnets, and issues surrounding
We've proposed what vendors need to better support bogon filtering, even
wrote a draft:
http://arneill-py.sacramento.ca.us/draft-py-idr-redisfilter-01.txt
but last time I talked to cisco ios person (which was just two weeks ago
at IPv6 Summit), it still has not been done. Perhaps couple more
On Fri, 3 Dec 2004, J. Oquendo wrote:
Considering the talk of banning going on, I was reluctant to post this,
anyhow, I wondered how many (if any) have ever thought about the aspect of
vendors deciding to implement some form of default bogon filtering on their
products. With all of the
In Ciscoland its called Autosecure (IOS 12.3):
http://www.cisco.com/warp/public/cc/pd/iosw/prodlit/cas11_ds.htm
Blocks all IANA reserved IP address blocks
The actual doc:
http://niatec.info/mediacontent/cisco/media/targets/resources_mod07/7_1_2_AutoSecure.pdf
Problem is, I still do not see
34 matches
Mail list logo