> > Andre > > > > I take it you mean that RFC1918 or other bogons that are not assigned by > > IANA to any registry are okay to filter vs assigned/allocated IP space > > to/from the registeries should not be filtered. > > Yes, exactly. > > In my opinion also the aggregating filtering on min allocation sizes > IP-Plus is doing is wrong. > > The problem with default deny everthing unless allowed is always that > you have to readjust this kind of filter all the time. And you might > miss some update or you are on vacation or... > > I deny </7 and >/25 plus the RFC1918 and DHCP space but allow everything > else. The risk to miss a change or new allocation is almost zero and it > works right away.
I don't 100% agree, IANA have a web page with this info and they keep it up to date, allocations out of the "reserved" address space are not done very frequently, usually every 3-4 months max. When a new block is allocated it usually is done way ahead of time and it usually takes months before anything is in the BGP table. Also, IANA do announce on various mailing lists when they update the allocation list. So I see nothing wrong with denying any non allocated address space. If one is worried about forgetting about it, there are many way of checking if there has been an update, no need to list them here I think everyone has his favorite script in mind. Thomas ---------------------------------------------- [EMAIL PROTECTED] Maillist-Archive: http://www.mail-archive.com/swinog%40swinog.ch/
