Is it time to abandon bogon prefix filters?

Sam Stickland sam_mailinglists at spacething.org
Mon Aug 18 09:01:00 CDT 2008


Pete Templin wrote:
> Jared Mauch wrote:
>
>>     On a router with full routes (ie: no default) the command
>> is:
>>
>> Router(config-if)#ip verify unicast source reachable-via any 
>
> None of these suggestions (including the wisecrack "ACLs") provide 
> full filtering:
>
> If a miscreant originates a route in bogon space, their transit 
> provider(s) doesn't filter their customers, and you or your 
> peer/transit doesn't filter their peers/transits, your router will 
> accept the route in bogon space and will accept the bogon packets.  
> Filtering has not been accomplished, and the bogon attack vector 
> remains open.
>
> Rather than hoping that everyone filters their customers or that all 
> of my transits filter every peer, if I want to protect my network from 
> bogon packets, I need to ensure that my routers won't accept any 
> prefixes in bogon space.  The Team Cymru BGP feed does NOT provide 
> this function; it merely provides a way to inject null routes for 
> bogon aggregates.
I think you misunderstand the meaning of the "ip verify unicasr source 
reachable-via any" command. When a packet arrives the router will drop 
it if it doesn't have a valid return path for the source. Since the 
source is a bogon, and routed to Null0, then the inbound packet is dropped.

Sam





More information about the NANOG mailing list