[ppml] Bogons etc...

Anthony DeBoer adb at onramp.ca
Wed Jan 21 13:11:37 EST 2004


Michael.Dillon at radianz.com wrote:
> DNS, BGP and LDAP all potentially solve the parsing problems
> and all are scriptable. My personal opinion is that LDAP would
> be a better solution because it supports schemas which makes it
> darn near impossible to create a parsing problem.

Aaaaurgh, keep it simple!

This is fundamentally a BGP issue; if your router doesn't have any bogus
routes and is running defaultless, then all such packets nicely fall into
the bit bucket.

Accomplishing that state of affairs is something already being addressed
by the RADB, Cymru, the redisfilter draft, and such.  Ideally such routes
(misconfigurations or stolen space) don't make it all the way across the
backbone and into most peoples' routing tables, and ideally this can
happen without having to touch the majority of router configs in the
field either.  Injecting selected overriding-blackhole routes in the
language already spoken by BGP routers is preferable to coding new
protocols, and keeping it dynamic avoids having legacy configs on routers
that don't play well with current reality.  Actually talking to providers
injecting the bogons might be an idea too.

I shouldn't need to care whether 70/8 is allocated or not; when it is,
valid routes should show up for it.  End of story.

On the flip side, bogus addresses in the source side of the packet are
still best addressed by source filtering; DoS packets allegedly sourced
from a victim's server's legitimate address do a lot more damage than
packets allegedly sourced from la-la land.

-- 
Anthony DeBoer
Onramp Technical Support



More information about the ARIN-PPML mailing list