Is it time to abandon bogon prefix filters?

Danny McPherson danny at tcb.net
Mon Aug 18 19:29:06 UTC 2008


On Aug 18, 2008, at 6:33 AM, Jared Mauch wrote:
>
> 	On a router with full routes (ie: no default) the command
> is:
>
> Router(config-if)#ip verify unicast source reachable-via any
>
> 	Go ahead and try it out.  you can view the resulting
> drop counter via the 'show ip int <x/y>' command.
>
> 	While you're at it, you also placed the reachable-via rx on
> all your customer interfaces.  If you're paranoid, start with the  
> 'any'
> rpf and then move to the strict rpf.  The strict rpf also helps with
> routing loops.

That's a good point.  My problem with "loose mode" RPF is
that it subjects a packet's source address to ANY FIB entry
existence only mitigates spoofing of non-routed ranges.

All the interesting attacks today that employ spoofing (and the
majority of the less-interesting ones that employ spoofing) are
usually relying on existence of the source as part of the attack
vector (e.g., DNS cache poisoning, BGP TCP RST attacks,
DNS reflective amplification attacks, etc..), and as a result, loose
mode gives folks a false sense of protection/action.

-danny




More information about the NANOG mailing list