Is it time to abandon bogon prefix filters?

Pete Templin petelists at templin.org
Mon Aug 18 13:21:38 UTC 2008


Jared Mauch wrote:

> 	On a router with full routes (ie: no default) the command
> is:
> 
> Router(config-if)#ip verify unicast source reachable-via any 

None of these suggestions (including the wisecrack "ACLs") provide full 
filtering:

If a miscreant originates a route in bogon space, their transit 
provider(s) doesn't filter their customers, and you or your peer/transit 
doesn't filter their peers/transits, your router will accept the route 
in bogon space and will accept the bogon packets.  Filtering has not 
been accomplished, and the bogon attack vector remains open.

Rather than hoping that everyone filters their customers or that all of 
my transits filter every peer, if I want to protect my network from 
bogon packets, I need to ensure that my routers won't accept any 
prefixes in bogon space.  The Team Cymru BGP feed does NOT provide this 
function; it merely provides a way to inject null routes for bogon 
aggregates.

And no, I don't have offline configuration generators.  We don't have 
the coding experience in-house.  Oh well.

pt




More information about the NANOG mailing list