Is it time to abandon bogon prefix filters?
sean at donelan.com
Thu Aug 21 19:03:19 CDT 2008
On Tue, 19 Aug 2008, Kevin Loch wrote:
>> While you're at it, you also placed the reachable-via rx on
>> all your customer interfaces. If you're paranoid, start with the 'any'
>> rpf and then move to the strict rpf. The strict rpf also helps with
>> routing loops.
> Be careful not to enable strict rpf on multihomed customers. This includes
> any bgp customer unless you know for sure they are single homed to you and
> that will not
Isn't it time to change the assumption that sending arbitrary source IP
addresses without checking is Ok?
Unless the customer has specifically told their ISP about all the IP
addresses they intend to use as source IP addresses, shouldn't the default
be to drop those packets.
If those multi-homed customers have not told their upstream ISPs about
additional source IP addresses (hopefully also registered/authorized for
use by the same customer) why can they still send packets with those
source addresses? Instead shouldn't you say "Be careful if you are a
using source IP addresses without informing your upstream."
In practice, how many multi-homed customers send packets with unannounced
source IP addresses? And for those customers which do, why is the ISP
unable to implement any of the alternative source IP checking options,
such as using a ACL with uRPF or on the interface?
More information about the NANOG