Dear team, I’ve already reached out to Lukas directly, but I’ll kibitz a bit:
> They talk about bogon prefixes "for hosts", provide configuration > examples for Cisco ASA firewalls, > > Which are perfectly valid use cases for some networks / situations. Indeed! There was a time early in the life of the bogon lists where folks requested host-based and firewall-based filter examples. This was because these were their AS-border devices, e.g. host-based routers and firewalls, and hardware firewalls. I don’t remember writing a Cisco ASA example, but that was a long time ago. :) Be well, Rabbi Rob. > > > On Tue, Mar 7, 2023 at 6:35 PM Lukas Tribus <[email protected]> wrote: > On Wed, 8 Mar 2023 at 00:05, William Herrin <[email protected]> wrote: > > Hi Lukas, > > > > If you're using the team cymru bogon list at your customer border, > > you're doing it wrong. > > I'm not. > > I'm trying to educate people that bogon lists do not belong on hosts, > firewalls or intermediate routers, despite Team-cymru's aggressive > marketing of the opposite, quote: > > > THE BOGON REFERENCE > > > > *A bogon prefix should never appear in the Internet routing table*. > > Team Cymru’s Bogon Reference provides several resources for > > the filtering of bogon prefixes from your routers *and hosts*. > > > > A bogon prefix is a route that should never appear in the Internet > > routing table. A packet routed over the public Internet (not including > > over VPNs or other tunnels) *should never have an address in a > > bogon range.* These are commonly found as the source addresses > > of DDoS attacks. > > They either have to make it clear what their bogon list can actually > be used for or they need to drop RFC6598 from the list. > > They talk about bogon prefixes "for hosts", provide configuration > examples for Cisco ASA firewalls, at the same time they include > RFC6598 in the list and it's marketing material suggests it can be > used for everything. > > > You can't have it both ways. Either you provide a list of prefixes to > be dropped on autonomous system borders *and make that clear* or you > provide a list of prefixes that can be dropped in all systems. > > > > Lukas — Rabbi Rob Thomas Team Cymru "It is easy to believe in freedom of speech for those with whom we agree.” - Leo McKern
signature.asc
Description: Message signed with OpenPGP
