[c-nsp] Re: Good practices for peering

Sat Dec 31 11:45:55 EST 2005

On Dec 31, 2005, at 7:03 AM, Robert E.Seastrom wrote:
>
> With due respect to the folks who are are fighting the good fight by
> maintaining bogon lists, I believe that a dispassionate cost/benefit
> analysis would suggest that bogon filtering is not worth the effort.
>
> Consider the following points:
>
> 1) The vast majority of spam comes via compromised Windows machines,
> not bogus advertisements.  Thus, the amount of spam one could hope to
> block by blocking bogons is relatively tiny.

Agree wholeheartedly, that was simply one example of
how someone might exploit such an opportunity.

> 2) A would-be spammer can always announce a more-specific from an
> already-allocated netblock (preferably one from a country that's known
> for lax security or spam problems, and where it's the middle of the
> night when the transgression takes place), send a bajillion messages,
> and withdraw the route before the affected parties figure out what's
> going on.  Meanwhile back at the ranch, all of a sudden the call
> center queues from frustrated customers go down, the volume in the
> spam complaint mailbox goes up, and the tech staff is left scratching
> their heads.

Yes, and I've seen this occur as well.

> There is a case to be made for preferring the
> announcement of yet-to-be-allocated space to this kind of arms race.

I'd prefer neither, actually.

> 3) The tighter the granularity of the bogon filter, the more effort it
> takes to keep it updated, the more often it must be reapplied, and the
> greater the likelihood that buggy software or human error will cause
> things to go pear-shaped (usually at the most inconvenient time).

This was where my caution came from.  I'm not sure it's that difficult
to automate such a process (I have at several large ISPs), but again,
if you don't have the cycles or resources to maintain it then it's  
likely
going to be more trouble than it's worth.

> 4) Passion for keeping bogon filters, IRR, etc. synchronized properly
> at any given ISP usually lies with one or two motivated individuals
> who are usually not in a political position to make their zeal part of
> the ongoing corporate culture.

Heh, I sense some bad experiences here...?

At the SPs I've been involved with, once the value of a given
policy is demonstrated and adequately justified, the resource
investment to support implementation and ongoing operations
of that policy have been accommodated.  Ensuring this "zeal"
you refer to is instilled as part of the corporate culture quickly
becomes the responsibility of those passionate folk - and it's
only made possible by their properly conveying the value that
a given policy represents to the relevant folks in their
organization.

> When they leave, it dies with them.
> Obviously, one's chances of Winning Big increase with the size of the
> ISP, but go back and read the original email and consider your target
> audience.

> Bogon Filtering Considered Harmful...

Bogon filtering, IRR-based policies, route reflection, etc..  Just as
with pretty much anything you employ, if you understand the
caveats and deployment considerations and how they apply to
your operating environment, you can make them work to your
benefit.  If you don't they can certainly impact you adversely.
Simply because something is difficult doesn't mean it shouldn't
be considered...

OTOH, I do understand your point about target audience, but even
smaller folks have a responsibility to take some basic measures to
protect their own networks .. and raise the liability bar - hence the
query in the original email.

-danny