On Thu, 14 Aug 2008, Steven M. Bellovin wrote:
Many of them -- most of them? -- do filter, to the extent that they can.
However, they're in a poor position to do a complete job.
What I would like is to be able to filter prefixes on the basis of the
AS-path/prefix combination, and have this
BGP Update Report
Interval: 14-Jul-08 -to- 14-Aug-08 (32 days)
Observation Point: BGP Peering with AS2.0
TOP 20 Unstable Origin AS
Rank ASNUpds % Upds/PfxAS-Name
1 - AS453895373 1.5% 19.0 -- ERX-CERNET-BKB China Education
and Research Network Center
2
This report has been generated at Fri Aug 15 21:17:41 2008 AEST.
The report analyses the BGP Routing Table of AS2.0 router
and generates a report on aggregation potential within the table.
Check http://www.cidr-report.org for a current version of this report.
Recent Table History
Date
Randy Bush [EMAIL PROTECTED] writes:
bogon block attacks % of attacks
0.0.0.0/7 65 0.01
2.0.0.0/8 3 0.00
5.0.0.0/8 3 0.00
10.0.0.0/8 87941.21
23.0.0.0/8 4 0.00
27.0.0.0/8 7 0.00
92.0.0.0/6 101 0.01
In other words, our earlier estimate of 60% was way off... you can
get 92.1% effectiveness at bogon filtering by just dropping 1918
addresses, a filter that you will never have to change.
my read is that the 60% was an alleged 60% of attacks came from *all*
bogon space. this now seems in the
On Thu, 14 Aug 2008 23:44:50 -0600, Danny McPherson wrote:
Okay, I admit I haven't paid the closest attention to RPKI, but I
have to ask: Is this a two-way shared-key issue, or (worse) a case
where we need to rely on a central entity to be a key clearinghouse?
snip
In short, the latter,
The RPKI is hierarchical and distributed all over everywhere.
yes, hierarchic. but the guess is that it is distributed more like the
irr, some dozens of folk will run it, not millions such as the dns.
randy
On Aug 15, 2008, at 9:26 AM, Randy Bush wrote:
In other words, our earlier estimate of 60% was way off... you can
get 92.1% effectiveness at bogon filtering by just dropping 1918
addresses, a filter that you will never have to change.
my read is that the 60% was an alleged 60% of attacks
Randy Bush [EMAIL PROTECTED] writes:
In other words, our earlier estimate of 60% was way off... you can
get 92.1% effectiveness at bogon filtering by just dropping 1918
addresses, a filter that you will never have to change.
my read is that the 60% was an alleged 60% of attacks came from
On Fri, 15 Aug 2008 13:56:09 +0300 (EEST), Pekka Savola wrote:
I'm not sure I follow. Many of these aliens are in fact registered in
RADB, so AFAICS, there that is no reason for them to be registered in
RIPE DB.
On the other hand, some want to register them in RIPE DB because some
operators
In other words, our earlier estimate of 60% was way off... you can
get 92.1% effectiveness at bogon filtering by just dropping 1918
addresses, a filter that you will never have to change.
my read is that the 60% was an alleged 60% of attacks came from *all*
bogon space. this now seems in
On Fri, 15 Aug 2008, Robert E. Seastrom wrote:
so is there any case to be made for filtering bogons on
upstream/peering ingress at all anymore?
Depends on where and how.
On highly managed routers at highly managed interconnection points around
the Internet, having some basic packet hygiene
Danny McPherson wrote:
On Aug 14, 2008, at 1:09 PM, Jared Mauch wrote:
You're missing a step:
janitor.
No really, the reason for some leaks isn't because so-and-so was
never a customer, they were. 5 years ago. nobody removed the routes
from
the IRR or AS-SET or insert
On Fri, 15 Aug 2008 09:49:38 -0400 (EDT)
Sean Donelan [EMAIL PROTECTED] wrote:
On Fri, 15 Aug 2008, Randy Bush wrote:
my read is that the 60% was an alleged 60% of attacks came from
*all* bogon space. this now seems in the low single digit
percentge. of that, the majority is from 1918
On Fri, 15 Aug 2008, Steven M. Bellovin wrote:
Martians plus 1918 space, I'd say, though that requires knowing which
are border interfaces.
Whether you include or exclude rfc1918 addresses is another issue. Whack
the martians first :-)
Unfortunately, enough ISPs use rfc1918 addresses on
security person rant
Easy upgrade to PKI after the fact might as well be a misnomer. In
particular, there will likely be no way to ensure that nobody uses the old
system instead of the new, spiffy and secure-ified system. This means that
support for the old, insecure system must be kept
Sean Donelan [EMAIL PROTECTED] writes:
For unmanaged and semi-managed routers, I'd suggest strict out-bound
packet controls (i.e. be conservative in what you send) because you
already need to make operational updates when they change. But
consider using inbound controls that require less
Sean Donelan [EMAIL PROTECTED] writes:
On Fri, 15 Aug 2008, Robert E. Seastrom wrote:
so is there any case to be made for filtering bogons on
upstream/peering ingress at all anymore?
Depends on where and how.
On highly managed routers at highly managed interconnection points around
the
Again, I think bogon filters are a bad idea for unmanaged or
semi-managed routers (or inclusion as a default in anything,
i.e. Cisco's auto-secure).
You make a very good point about the difference between routers that
are being routinely maintained by highly clueful people and routers
that
as a mutual friend who pretends he does not read nanog emailed privately
rfc1918 filters, like bcp38 filters, could be construed as topological
assertions rather than bogon filters per se. certainly they are for
edge routers, but even in the dfz, i don't think we're in rfc 1918
space anymore,
Randy Bush wrote:
in the field != untouched/unloved
i contend that all one's routers should be rigorously configured as
programmatically as possible.
It seems to me that those are the routers where the filtering of both
packets and routes is easiest and most effective. If every such router
Easy upgrade to PKI after the fact might as well be a
misnomer. In particular, there will likely be no way to
ensure that nobody uses the old system instead of the new,
spiffy and secure-ified system. This means that support
for the old, insecure system must be kept around
Steven M. Bellovin [EMAIL PROTECTED] writes:
Security? Remember that availability is a security issue, too.
It never ceases to amaze me how many security people walk around
oblivious to this basic notion.
-r
Robert E. Seastrom wrote:
Steven M. Bellovin [EMAIL PROTECTED] writes:
Security? Remember that availability is a security issue, too.
It never ceases to amaze me how many security people walk around
oblivious to this basic notion.
But of course! The most secure object is one nobody knows
Randy Bush [EMAIL PROTECTED] writes:
Again, I think bogon filters are a bad idea for unmanaged or
semi-managed routers (or inclusion as a default in anything,
i.e. Cisco's auto-secure).
You make a very good point about the difference between routers that
are being routinely maintained by
Not sure what you mean by this, but the painful reality is that most
stuff, once deployed, gets promptly forgotten about, much the same as
you might ignore a wall wart power supply under your desk until it
started smelling funny or stopped delivering electricity. Thus, I
contend that one's
Randy Bush [EMAIL PROTECTED] writes:
Not sure what you mean by this, but the painful reality is that most
stuff, once deployed, gets promptly forgotten about, much the same as
you might ignore a wall wart power supply under your desk until it
started smelling funny or stopped delivering
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Jon Kibler wrote:
BTW, despite the fact that Cisco says exploits are available, there is
not the first mention of this vulnerability on the WebEx web site.
I really hate to reply to my own postings, but in this case I will make
an exception.
I
On Fri, 15 Aug 2008 08:56:27 -0700
Randy Bush [EMAIL PROTECTED] wrote:
Not sure what you mean by this, but the painful reality is that most
stuff, once deployed, gets promptly forgotten about, much the same
as you might ignore a wall wart power supply under your desk until
it started
I respectfully disagree that it's nonsense. You can shut off your Gopher
server, because, for some set of nobody that you care about, nobody uses
Gopher anymore.
There are several basic ways for an old protocol to get replaced:
- Nobody has a use for it any more, for a sufficient level of
On Fri, 15 Aug 2008, Steven M. Bellovin wrote:
and i am saying that you should use a router configuration *system*
that avoids ticking time bombs. no router should be neglected and
unloved.
That, I think, is why he distinguished between routers run by highly
clueful people and routers run by
On Fri, Aug 08, 2008 at 10:27:33PM +0100, n3td3v wrote:
He's ruining Nanog, just so he can get self glorification and self
gratification in
himself as some kind of leader of internet security industry when he
really is just a sad fat person who is a nobody.
All the best,
Clearly not.
This is an automated weekly mailing describing the state of the Internet
Routing Table as seen from APNIC's router in Japan.
Daily listings are sent to [EMAIL PROTECTED]
For historical data, please see http://thyme.apnic.net.
If you have any comments please contact Philip Smith [EMAIL
33 matches
Mail list logo