Bogon filtering (don't ban me)

Sun Dec 5 17:41:32 UTC 2004

On 5 Dec 2004, at 06:50, Cliff Albert wrote:

> I have one question regarding the CYMRU bogon route-server. What good 
> is
> it if more-specific bogons are going around in the BGP table ?

With OpenBSD 3.6 running pf and bgpd, you can apply a filter rule to 
BGP updates received from individual peers which updates a pf radix 
table with the network received:

   # team cymru bogon route servers

   group "bogons" {
     remote-as 65333
     local-address A.B.C.D
     multihop 64
     announce none
     max-prefix 1000
     tcp md5sig password "xxsomethingxx"

     neighbor E.F.G.H
     neighbor I.J.K.L
   }

   # cymru set 65333:888 on bogon routes
   allow from any community 65333:888 set pftable "bogons"
   allow from any community 65333:888 set nexthop blackhole

This allows you to block inbound/outbound packets in the packet filter, 
and not just rely on blackhole routing (I left the "nexthop blackhole" 
policy statement in there to provide some coverage in case I 
accidentally disable pf one day due to caffeine deficiency). The pf 
config bits are:

   table <bogons> persist

   # no bogon sources or destinations
   block quick from <bogons> to any
   block quick from any to <bogons>

This seems to work very nicely, and neatly accommodates the problem of 
what to do with packets which follow more-specific routes of the cymru 
bogon supernets. The rules above would probably need to be loosened 
somewhat for a network which used 1918 addresses and NAT, since the 
1918 addresses are included in the bogon feed.

This is an answer that is probably not useful for the average ISP 
backbone, but I tried it out a week or so ago on my home network 
firewall/router boxes, and it works very nicely. It's a good solution 
for (say) an enterprise network whose external traffic falls within the 
bounds of what an OpenBSD box can handle (or boxes, if you do stateful 
failover with CARP and pfsync).

Joe