...and it's not like ARIN, etc., does not announce to the
Internet community when it allocates from address space
which may have previously been listed in various operational
places as "bogon" or "unalloacted" -- they do.
I recall seeing similar announcements on the list from time
to time, suggesting due diligence on ARIN's behalf to notifying
people to modify their filtering. *plonk*
Scanning the archives, an example:
http://www.merit.edu/mail.archives/nanog/2004-01/msg00374.html
- ferg
Is there an RFC or other standards document that clearly states that static
bogon filter lists are a bad idea? While this seems like common sense, there
was just an RFC published on why IP addresses for specific purposes (like
NTP) shouldn't be encoded into hardware.
Using a dynamic feed needs to be codified so that it finds its way into
training classes, documentation, etc. Otherwise, this problem will recur
indefinitely.
- Dan
11:02am Daniel Golding said:
Is there an RFC or other standards document that clearly states that static
bogon filter lists are a bad idea? While this seems like common sense, there
Since this keeps coming up. I'll toss my quick and dirty reminder cronjob
into the discussion. I cannot imagine any other way of managing the static
bogons published on the Team Cymru web site. (For those of us who don't
need to run their many other dynamic options.) Copying a static config
wholesale is a classic case of myopic thinking.
$ cat /etc/cron.monthly/ckbogons.sh
#!/bin/bash
bnagg=http://www.cymru.com/Documents/bogon-bn-agg.txt
# make a new bogon list from the web
newbog=`mktemp` || exit 1
wget -qO- $bnagg |awk '{print "any net " $1 "\treject"}' >$newbog
# get current list from our static-route config
oldbog=`sed -ne '/^any.*reject$/,/^$/p' /etc/sysconfig/static-routes`
# commpare
#echo "$oldbog" |cdiff - $newbog
echo "$oldbog" |diff -uw - $newbog
rm -f $newbog
Obviously it's for a linux edge using Red Hat style initscripts. But the
basic gist is sound; alert the admin whenever we are out of sync. And an
expect script could easily be whipped up for monitoring IOS/whatever other
static bogons one has installed.
Admins who choose the *static* bogon list should use this technique of
self-control.
../C