Is it time to abandon bogon prefix filters?
Eric Jensen
ejensen at jensenresearch.com
Mon Aug 18 19:09:42 UTC 2008
>
>Message: 3
>Date: Mon, 18 Aug 2008 08:21:38 -0500
>From: Pete Templin <petelists at templin.org>
>Subject: Re: Is it time to abandon bogon prefix filters?
>
>None of these suggestions (including the wisecrack "ACLs") provide full
>filtering:
>
>If a miscreant originates a route in bogon space, their transit
>provider(s) doesn't filter their customers, and you or your peer/transit
>doesn't filter their peers/transits, your router will accept the route
>in bogon space and will accept the bogon packets. Filtering has not
>been accomplished, and the bogon attack vector remains open.
We recently expanded our network, separating our multi-homed transit
network from our corporate and 'network services' LANs. We use BGP
sessions between our transit and services networks to trade internal
(RFC1918) routes as well as supply a default route. We do not trade
external routes over these news sessions.
A happy side-effect of this is that our black-hole router, with a cymru
bogon feed, now populates the corporate routing table, rather than our full
transit table, and by using strict URPF all bogon traffic gets dropped
(inbound), and no more-specific routes learned by the transit routers will
override our BH routes.
- Eric
AS17103
More information about the NANOG
mailing list