Is it time to abandon bogon prefix filters?
petelists at templin.org
Mon Aug 18 08:21:38 CDT 2008
Jared Mauch wrote:
> On a router with full routes (ie: no default) the command
> Router(config-if)#ip verify unicast source reachable-via any
None of these suggestions (including the wisecrack "ACLs") provide full
If a miscreant originates a route in bogon space, their transit
provider(s) doesn't filter their customers, and you or your peer/transit
doesn't filter their peers/transits, your router will accept the route
in bogon space and will accept the bogon packets. Filtering has not
been accomplished, and the bogon attack vector remains open.
Rather than hoping that everyone filters their customers or that all of
my transits filter every peer, if I want to protect my network from
bogon packets, I need to ensure that my routers won't accept any
prefixes in bogon space. The Team Cymru BGP feed does NOT provide this
function; it merely provides a way to inject null routes for bogon
And no, I don't have offline configuration generators. We don't have
the coding experience in-house. Oh well.
More information about the NANOG