Nathan Ward wrote:
On 1/07/2007, at 1:27 AM, Alastair Johnson wrote:
range of say /8 to /24, you have the POTENTIAL for mass injection of prefixes.
Why would you accept a range? I'd just accept the shortest prefix, if a longer prefix is de-bogoned it just means you don't count the still-bogon part as bogon until you update those filters. Think of it as a way to shorten bogon lists only, not modify them. Sure you don't get full coverage for a bit, but you certainly get more than just not filtering at all.
Fair point; but you're introducing additional touch requirements to your network devices, and you lose out on some usefulness of your bogon filtering, if say, 96/6 suddenly has one of those /8's de-bogoned. If you're prepared to have your bogon filter value deteriorate like that, then I would have to question their value at all.
two quite different things. If you're using that BGP-fed bogon list to trigger uRPF for instance, it's an entirely new potential attack vector.
Sure, but I'm betting that it can be done smartly.
Everything can be done smartly - in theory. However, it is a risk, and runs the potential to be a VERY BIG risk if you have lots of SLAs and real money at risk.... and I'd say some risk assessors would not accept it.
There are risk averse operators and corps out there that for reasons like these would not peer with a third party for that.
Yep, I can understand that they exist, I'm just not convinced that it's terribly justified :-)
50ms link protection probably isn't terribly justified either, but people strive, or even fight, for it. I wouldn't open that potential vector without some serious thought and consideration -- and as Rob T. points out, they offer multiple ways to implement it, or not at all. Up to the network operator -- some are risk averse (me, these days), some are not.
I've dealt with far too much pain when getting IP space in 219/8, 220/8, 222/8, etc, to ever want to implement a bogon filter myself. Of course, other operators that choose to blanket blackhole all APNIC space are another headache :\.
Indeed. I wouldn't recommend implementing bogon filters unless you do it really smartly, because as you say, more bad than good.
Yep. That remains my view, really.
The solution to a number of the "third party is scary" problems here is simply using BGP triggered blackholes to do this internally, and make sure you pay really really close attention to the mailing lists, or maybe rig up some thing so when Cymru change their announcements you get a notification or perhaps it drops it in to your table after a few hours of delay.
Again, good options. Probably not something I'll be doing, though. *I* do not see the value for the operational overhead and additional network-touch required. That's really all my original point in reply to Jonny's email was anyway. Do whatever you need with your network :). aj.