Is it time to abandon bogon prefix filters?

Sean Donelan sean at donelan.com
Fri Aug 15 09:06:36 CDT 2008


On Fri, 15 Aug 2008, Robert E. Seastrom wrote:
> so is there any case to be made for filtering bogons on
> upstream/peering ingress at all anymore?

Depends on where and how.

On highly managed routers at highly managed interconnection points around
the Internet, having some basic packet hygiene checks can serve as a
"fire breaks" to keep the effectiveness of large scale attacks with
reserved/unallocated address low.  Unlike BCP38/uRPF/SAVI, it doesn't
need 100% deployment; just enough to make it less attractive as an
attack vector compared to other things.  Even within a single provider,
you might not deploy it everywhere.  Maybe just between different 
continents or regions, depending on your hardware and operational 
capabilities.

For highly managed routers, operational management of allocation updates 
is more limited because you only need to keep track of IANA changes (or 
use some of Team Cymru's tools) rather than figure out which peer or 
customer is authorized to use unallocated source addresses.

Again, I think bogon filters are a bad idea for unmanaged or 
semi-managed routers (or inclusion as a "default" in anything, i.e. 
Cisco's auto-secure).

> (this discussion is orthogonal to bcp38/urpf, which i think we all
> agree is a good thing and would be great if we could get it further
> deployed)

I agree.




More information about the NANOG mailing list