Bogon filtering (don't ban me)
Joe Abley
jabley at isc.org
Sun Dec 5 17:41:32 UTC 2004
On 5 Dec 2004, at 06:50, Cliff Albert wrote:
> I have one question regarding the CYMRU bogon route-server. What good
> is
> it if more-specific bogons are going around in the BGP table ?
With OpenBSD 3.6 running pf and bgpd, you can apply a filter rule to
BGP updates received from individual peers which updates a pf radix
table with the network received:
# team cymru bogon route servers
group "bogons" {
remote-as 65333
local-address A.B.C.D
multihop 64
announce none
max-prefix 1000
tcp md5sig password "xxsomethingxx"
neighbor E.F.G.H
neighbor I.J.K.L
}
# cymru set 65333:888 on bogon routes
allow from any community 65333:888 set pftable "bogons"
allow from any community 65333:888 set nexthop blackhole
This allows you to block inbound/outbound packets in the packet filter,
and not just rely on blackhole routing (I left the "nexthop blackhole"
policy statement in there to provide some coverage in case I
accidentally disable pf one day due to caffeine deficiency). The pf
config bits are:
table <bogons> persist
# no bogon sources or destinations
block quick from <bogons> to any
block quick from any to <bogons>
This seems to work very nicely, and neatly accommodates the problem of
what to do with packets which follow more-specific routes of the cymru
bogon supernets. The rules above would probably need to be loosened
somewhat for a network which used 1918 addresses and NAT, since the
1918 addresses are included in the bogon feed.
This is an answer that is probably not useful for the average ISP
backbone, but I tried it out a week or so ago on my home network
firewall/router boxes, and it works very nicely. It's a good solution
for (say) an enterprise network whose external traffic falls within the
bounds of what an OpenBSD box can handle (or boxes, if you do stateful
failover with CARP and pfsync).
Joe
More information about the NANOG
mailing list