[ppml] Bogons etc...

Michel Py michel at arneill-py.sacramento.ca.us
Thu Jan 22 02:51:53 EST 2004

>> Michael.Dillon at radianz.com wrote:
>> Further, I think the place to do this is with DNS,
>> much like many of the spam black lists. 

> william at elan.net
> Its been done with dns, [..]
> If you're interested try bogons.dnsiplists.completewhois.com

[for those of you that have not read the redisfilter draft yet, William
is one of the co-authors and I am grateful for his contribution].

That being said, let's try to nail the coffin on this:

IP filtering on a per-host basis (regardless it's using DNS, LDAP or
something else) is a flawed concept in the first place. In the case of
an SMTP session, it is valid to check the originating IP against a DNS
RBL. If you get into more generic filtering, you just can't do this: are
you going to wait for the hypothetical query against
bogons.dnsiplists.completewhois.com or any other DNS or LDAP based
service to decide to drop or not _each_ packet? Of course not. So
Michael and Leo please stop trying to sell us a generic host-based
filtering scheme based on LDAP or DNS, it just does not work nor scale,
both because nothing can handle every host querying the DNS/LDAP servers
and nothing can even handle a single host querying the DNS/LDAP server
for each packet either.

Filtering IP packets or datagrams is a layer 3 deal, it's done on a
router not on a host, and the feed of the filtering information is a BGP
deal. Grow up, that's what both the theoricians and the operators with
tons of operational experience say. That's why layer violations
generally _and_ in this case are a BAD idea, period.


More information about the ARIN-PPML mailing list