69/8...this sucks

ljb · March 11, 2003, 8:01pm

> Er, guys... How does this fix the problem of a Malicious user
> advertising a more specific bogon route?

Come on...clearly you haven't been paying attention.

You need LDAP filters. LDAP filters and a South Vietnamese revolution
against the IRRs for being fragmented and greedy.

Careful. We are watching and are prepared to ruthlessly squash
any attempted rebellion.

And if that doesn't poison your inverse arp, then multiplex a private
bogon server with a centralized host scanner-based DNSBL. Don't forget the
trailing dot! And don't forget to invert the subnet mask!

Hey, I've already thought of all that and captured it in an
XML schema (with ASN.1 encoding)! I will be presenting an Internet
Draft next week at the IETF in the CRISP/RPSEC/GROW/IDR meetings.

Seriously... As has been suggested, I think we need to do
a better job of identifying the population and type of devices
that are filtering these prefixes. Are they really predominately
BGP speaking routers, or largely some mishmash of non-BGP speaking
firewalls/proxies/NAT's?

If it's the former, then a BGP based solution has some merit.
If the latter, I think it unreasonable to expect these
firewalls to speak BGP. What's needed is a canonical
represention of the bogon list and some tools to generate
the filter list in the appropriate config format for a number
target devices.

There's already a canonical list maintained by Rob Thomas
in the RADB (see fltr-martian, fltr-unallocated, and
fltr-bogons). I've suggested to Rob that he may want
to include a PGP signature in a remarks section of the object
to provide a greater level of confidence (hopefully with
a key that's escrowed somehow -- god forbid anything should
happen to Rob). I should also note that some of the
RIR's have indicated they will be providing more
precise information on their unallocated space.

As far as tools go, while IRRToolSet has extensive
support for RPSL, it may be too complex for a novice
Net admin. Perhaps some simple Perl scripts to generate
filter configs from RPSL filter objects would be useful?

Larry Blunk
Merit

Rick_Duff · March 11, 2003, 8:08pm

I've never posted to the list, just lurk, for over a year now, but this
has to be said. Can we please take this discussion off-list to private
conversation. It's gotten worse then spam. I see a nanog message and
just start deleting them now.

-rd

Andy_Dills · March 11, 2003, 9:10pm

Come on...everybody takes turns being the nanog nazi, but it isn't your
turn yet.

Two suggestions:

Number one, you'll probably find your list reading experience to be far
more pleasurable if you filter. If nothing else, filter each mailing list
you're on into its own box. It allows you to look at nanog mail only when
you want to look at nanog mail. But then you can take it a step further,
and plonk threads or individual posters into the bit bucket (whatever the
Outlook Express equivalent of /dev/null is). I'm being nice; some would
simply shout "man procmail" and stick YOU in their .procmailrc.

Number two, don't complain about posts which are essentially complaints
themselves (albeit with a sense of humor). My post wasn't just a silly
gesture, it was an attempt to point out the ridiculous extremes and insane
overlapping the threads have denegerated into, without falling into the
"shut up and go away. why I can't ping sublimedirectory.com?" cliche.

At the minute, the following concerns and ideas are being tossed about,
which all overlap slightly but not totally, resulting in a ridiculous
mishmash of ideas that have begun to feed on itself (note that these have
all been brought up in different ways, and are not all parts of a single
thread):

sBGP
bogon filtering
centralized scanning for the prevention of abuse
idealistic segmentation of the net into the "pure" and "impure"
lack of reachibility from 69/8

If you step back on some high level, the threads are all about lazy and or
nonexistent network administration, and ways to cope with the impact on
the net we all have to run. But if you read every post, it has degenerated
into an argument over whether or not everything is ready to be a nail for
the LDAP hammer and whether or not people actually understand how sBGP is
proposed to work.

But at the same time, I can't think of a place this stuff would be more
relevant. Which is why it's good to filter...so you still be subscribed to
the list AND not be annoyed.

Andy

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Andy Dills 301-682-9972
Xecunet, LLC www.xecu.net
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Dialup * Webhosting * E-Commerce * High-Speed Access