Is it time to abandon bogon prefix filters?
Sam Stickland
sam_mailinglists at spacething.org
Mon Aug 18 14:01:00 UTC 2008
Pete Templin wrote:
> Jared Mauch wrote:
>
>> On a router with full routes (ie: no default) the command
>> is:
>>
>> Router(config-if)#ip verify unicast source reachable-via any
>
> None of these suggestions (including the wisecrack "ACLs") provide
> full filtering:
>
> If a miscreant originates a route in bogon space, their transit
> provider(s) doesn't filter their customers, and you or your
> peer/transit doesn't filter their peers/transits, your router will
> accept the route in bogon space and will accept the bogon packets.
> Filtering has not been accomplished, and the bogon attack vector
> remains open.
>
> Rather than hoping that everyone filters their customers or that all
> of my transits filter every peer, if I want to protect my network from
> bogon packets, I need to ensure that my routers won't accept any
> prefixes in bogon space. The Team Cymru BGP feed does NOT provide
> this function; it merely provides a way to inject null routes for
> bogon aggregates.
I think you misunderstand the meaning of the "ip verify unicasr source
reachable-via any" command. When a packet arrives the router will drop
it if it doesn't have a valid return path for the source. Since the
source is a bogon, and routed to Null0, then the inbound packet is dropped.
Sam
More information about the NANOG
mailing list