[ppml] Bogons etc...

Leo Bicknell bicknell at ufp.org
Thu Jan 22 10:53:34 EST 2004


In a message written on Wed, Jan 21, 2004 at 11:51:53PM -0800, Michel Py wrote:
> RBL. If you get into more generic filtering, you just can't do this: are
> you going to wait for the hypothetical query against
> bogons.dnsiplists.completewhois.com or any other DNS or LDAP based
> service to decide to drop or not _each_ packet? Of course not. So

No, but respectfully I think you're thinking about too narrow of a
solution.

There are many more things people might want to do than filter
routes or packets.  No matter what mechanism you use to filter
routes or packets you're not going to do a dynamic query per lookup,
you're going to cache.  Even a BGP feed is a form of caching, since
the local box keeps a copy of what it receives and checks against
that.  Be it distributed in BGP, DNS, or LDAP, or even SQL that's
always going to be true.

However, I think the best use of this data is up a few levels.  Even
if we could get all backbones to filter, it will take time to be
implemented.  The reality is not all backbones are going to filter.
For any number of reasons a person could end up with a host on the
end of a unfiltered link.  I'm sure many people would like to have
a reliable way to use this data to filter SMTP connections from
unallocated space, or IRC connections, or modify host based firewall
rules to drop the raw packets.

ARIN is here to serve the community.  Perhaps you have some major
objection to using DNS, or LDAP, or to doing host based, or application
based filtering.  That's fine, run your network/hosts however you'd
like.  The point is there are members of the community who would
like to do those sort of things, and ARIN should enable those people
to do what they want unless someone can show it would hurt ARIN, or
hurt the Network.

Services like bogons.dnsiplists.completewhois.com exist today, and
are in use today.  My assertion that people want this service, and will
use this service is not theoretical.  My desire is to have it provided
directly from ARIN, RIPE, APNIC, etc, and not from completewhois.com.
I trust the RIR's more than I trust completewhois.com.

If you want to lead the charge to make sure no bogus prefix ever appears
on any backbone anywhere, and that no packets are ever sourced from a
bogus block, by all means please do.  That's good work I'll support.
However, until that work is done let us have the slightly ugly duckling,
but already deployed solution proped up a bit, so we at least have a
fighting chance to stop some abuse in the interim.

-- 
       Leo Bicknell - bicknell at ufp.org - CCIE 3440
        PGP keys at http://www.ufp.org/~bicknell/
Read TMBG List - tmbg-list-request at tmbg.org, www.tmbg.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
URL: <https://lists.arin.net/pipermail/arin-ppml/attachments/20040122/86c61c64/attachment-0001.sig>


More information about the ARIN-PPML mailing list