Is it time to abandon bogon prefix filters?

• Previous message (by thread): Is it time to abandon bogon prefix filters?
• Next message (by thread): Out of Date Bogon Prefix
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

>
>Message: 3
>Date: Mon, 18 Aug 2008 08:21:38 -0500
>From: Pete Templin <petelists at templin.org>
>Subject: Re: Is it time to abandon bogon prefix filters?
>
>None of these suggestions (including the wisecrack "ACLs") provide full
>filtering:
>
>If a miscreant originates a route in bogon space, their transit
>provider(s) doesn't filter their customers, and you or your peer/transit
>doesn't filter their peers/transits, your router will accept the route
>in bogon space and will accept the bogon packets.  Filtering has not
>been accomplished, and the bogon attack vector remains open.

We recently expanded our network, separating our multi-homed transit 
network from our corporate and 'network services' LANs.  We use BGP 
sessions between our transit and services networks to trade internal 
(RFC1918) routes as well as supply a default route.  We do not trade 
external routes over these news sessions.

A happy side-effect of this is that our black-hole router, with a cymru 
bogon feed, now populates the corporate routing table, rather than our full 
transit table, and by using strict URPF all bogon traffic gets dropped 
(inbound), and no more-specific routes learned by the transit routers will 
override our BH routes.

- Eric
AS17103


  

• Previous message (by thread): Is it time to abandon bogon prefix filters?
• Next message (by thread): Out of Date Bogon Prefix
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]