RE: Please Check Filters - BOGON Filtering IP Space

As someone who used to "do" a great deal of managed network
services, I can certainly attest to that.

- ferg

> Well, if the router CAN run BGP, the feed from Cymru is only about 84
> prefixes - not a lot of memory tied up there, is there?

Not a very wise solution. If hundreds of thousands of routers
take this feed from Cymru, then it won't be long
before someone attacks Cymru in order to control
the feed. And given the upsurge in criminal activity
related to network abuse, the danger to Cymru is not
just from network exploits. The principals could
find themselves looking at a gun barrel in their
face with their families held hostage. It is very
unwise to push people towards creating a new single
point of failure (or single attack point) in the

my point was that not all managed routers, the majority actually, can't
and don't run BGP. their code doesn't even support bgp...

Thankfully this is true. However, the majority
of managed routers are managed by servers/workstations
which *ARE* capable of running BGP as well as
scripts to compare ACLS and alert staff when
inconsistencies are discovered.

The prudent course of action is to encourage
people to take the Cymru feed into their
*management systems* and use that feed to vet
their current ACLs or BGP filters. This extra
layer of indirection actually strengthens the
system and protects Cymru from becoming too

--Michael Dillon