[c-nsp] Re: Good practices for peering

Robert E.Seastrom rs at seastrom.com
Sat Dec 31 09:03:53 EST 2005


Danny McPherson <danny at tcb.net> writes:

>> I think filtering unallocated space is kinda futile. You don't get rid
>> of any real problem with that anymore. But it _would_ get ya if you
>> don't update filters quickly, regularily and for eternity. I'm  
>> neither a
>> fan of outsourcing such filters in realtime to anybody.
>
> I've seen spammers in the past 18 months advertise unallocated
> space, send a zillion spam messages, and then withdraw the
> routes.  If you have mechanisms in place to support dynamic updating
> of bogon associated route policies it's better than accepting all
> prefixes with your eyes shut.
>
> With that said, I do agree with your caution here that if you're not
> going to actively maintain route and packet bogon filters, you're
> probably better off not using them in the first place, per when new
> prefixes are "activated" you'll end up breaking connectivity for those
> addresses, which so often seems to be the case.

With due respect to the folks who are are fighting the good fight by
maintaining bogon lists, I believe that a dispassionate cost/benefit
analysis would suggest that bogon filtering is not worth the effort.

Consider the following points:

1) The vast majority of spam comes via compromised Windows machines,
not bogus advertisements.  Thus, the amount of spam one could hope to
block by blocking bogons is relatively tiny.

2) A would-be spammer can always announce a more-specific from an
already-allocated netblock (preferably one from a country that's known
for lax security or spam problems, and where it's the middle of the
night when the transgression takes place), send a bajillion messages,
and withdraw the route before the affected parties figure out what's
going on.  Meanwhile back at the ranch, all of a sudden the call
center queues from frustrated customers go down, the volume in the
spam complaint mailbox goes up, and the tech staff is left scratching
their heads.  There is a case to be made for preferring the
announcement of yet-to-be-allocated space to this kind of arms race.

3) The tighter the granularity of the bogon filter, the more effort it
takes to keep it updated, the more often it must be reapplied, and the
greater the likelihood that buggy software or human error will cause
things to go pear-shaped (usually at the most inconvenient time).

4) Passion for keeping bogon filters, IRR, etc. synchronized properly
at any given ISP usually lies with one or two motivated individuals
who are usually not in a political position to make their zeal part of
the ongoing corporate culture.  When they leave, it dies with them.
Obviously, one's chances of Winning Big increase with the size of the
ISP, but go back and read the original email and consider your target
audience.

Bogon Filtering Considered Harmful...

                                        ---Rob



More information about the cisco-nsp mailing list