Thomas Kernen wrote: > > > > Andre > > > > > > I take it you mean that RFC1918 or other bogons that are not assigned by > > > IANA to any registry are okay to filter vs assigned/allocated IP space > > > to/from the registeries should not be filtered. > > > > Yes, exactly. > > > > In my opinion also the aggregating filtering on min allocation sizes > > IP-Plus is doing is wrong. > > > > The problem with default deny everthing unless allowed is always that > > you have to readjust this kind of filter all the time. And you might > > miss some update or you are on vacation or... > > > > I deny </7 and >/25 plus the RFC1918 and DHCP space but allow everything > > else. The risk to miss a change or new allocation is almost zero and it > > works right away. > > I don't 100% agree, IANA have a web page with this info and they keep it up > to date, allocations out of the "reserved" address space are not done very > frequently, usually every 3-4 months max. When a new block is allocated it > usually is done way ahead of time and it usually takes months before > anything is in the BGP table. Also, IANA do announce on various mailing > lists when they update the allocation list. So I see nothing wrong with > denying any non allocated address space. > > If one is worried about forgetting about it, there are many way of checking > if there has been an update, no need to list them here I think everyone has > his favorite script in mind.
Maybe I've seen far too many old configurations in corporate networks nobody knows about anymore... If you are debugging a certain problem for hours which is caused by such old filters you know what I mean. Hopefully ISP networks are better managed. :-) -- Andre ---------------------------------------------- [EMAIL PROTECTED] Maillist-Archive: http://www.mail-archive.com/swinog%40swinog.ch/
