[c-nsp] Feedback on: Security Advice for Routers and Switches
Robert E. Seastrom
rs at seastrom.com
Thu May 17 06:54:45 EDT 2007
"Matthew Lange" <mmlange at gmail.com> writes:
> * Implement blackhole routing on the Internet interface, using the Bogon
> list[3]
Actually, I would put static bogon lists in the "common but bad
advice" section, right there with turning off ICMP (sorry, RobT!).
Why? Well, except for certain networks that are likely to be reserved
in perpetuity (for instance, 0/8, 255/8, 1918 space...), _every last
one of them_ is gonna end up getting assigned within the next four
years [1]. Are *you* going to be around to monitor the bogon list and
update it every few months? If not you then who?
Have you done a threat analysis and figured out what the marginal risk
is of allowing bogons from unassigned or reserved IP address space
vs. allowing bogons from hijacked or supernet-sucked address space
(against which you have no effective recourse)?
I don't run bogon lists and I encourage others to not use them either.
The downsides outweigh the benefits. I handle spam and other such
nuisances at the application layer.
---Rob
[1] http://www.potaroo.net/presentations/2007-05-09-ripe54-ipv4.pdf
More information about the cisco-nsp
mailing list