Is it time to abandon bogon prefix filters?
Tomas L. Byrnes
tomb at byrneit.net
Mon Aug 18 19:28:44 UTC 2008
If all you're using is BGP null routes, that's true. I would posit that
BCP include Prefix filtering and ACLs as well, with dynamic updates.
YMMV.
> -----Original Message-----
> From: Chris Adams [mailto:cmadams at hiwaay.net]
> Sent: Monday, August 18, 2008 7:30 AM
> To: NANOG list
> Subject: Re: Is it time to abandon bogon prefix filters?
>
> Once upon a time, Sam Stickland
> <sam_mailinglists at spacething.org> said:
> > I think you misunderstand the meaning of the "ip verify
> unicasr source
> > reachable-via any" command. When a packet arrives the
> router will drop
> > it if it doesn't have a valid return path for the source. Since the
> > source is a bogon, and routed to Null0, then the inbound
> packet is dropped.
>
> First, that is only true on Cisco routers (all the world is
> not a Cisco).
>
> Second, you are missing the point: you have bogon route for
> 10/8, but rouge route for 10.1/16 (or even 10.0/9 and
> 10.128/9) arrives; it is more specific and your automatic
> bogon filter is useless.
>
> --
> Chris Adams <cmadams at hiwaay.net>
> Systems and Network Administrator - HiWAAY Internet Services
> I don't speak for anybody but myself - that's enough trouble.
>
>
More information about the NANOG
mailing list