Is it time to abandon bogon prefix filters?

Tomas L. Byrnes tomb at byrneit.net
Mon Aug 18 14:28:44 CDT 2008


If all you're using is BGP null routes, that's true. I would posit that
BCP include Prefix filtering and ACLs as well, with dynamic updates.
YMMV.


> -----Original Message-----
> From: Chris Adams [mailto:cmadams at hiwaay.net] 
> Sent: Monday, August 18, 2008 7:30 AM
> To: NANOG list
> Subject: Re: Is it time to abandon bogon prefix filters?
> 
> Once upon a time, Sam Stickland 
> <sam_mailinglists at spacething.org> said:
> > I think you misunderstand the meaning of the "ip verify 
> unicasr source 
> > reachable-via any" command. When a packet arrives the 
> router will drop 
> > it if it doesn't have a valid return path for the source. Since the 
> > source is a bogon, and routed to Null0, then the inbound 
> packet is dropped.
> 
> First, that is only true on Cisco routers (all the world is 
> not a Cisco).
> 
> Second, you are missing the point: you have bogon route for 
> 10/8, but rouge route for 10.1/16 (or even 10.0/9 and 
> 10.128/9) arrives; it is more specific and your automatic 
> bogon filter is useless.
> 
> --
> Chris Adams <cmadams at hiwaay.net>
> Systems and Network Administrator - HiWAAY Internet Services 
> I don't speak for anybody but myself - that's enough trouble.
> 
> 




More information about the NANOG mailing list