Is it time to abandon bogon prefix filters?

Sean Donelan sean at donelan.com
Thu Aug 21 19:03:19 CDT 2008


On Tue, 19 Aug 2008, Kevin Loch wrote:
>> 	While you're at it, you also placed the reachable-via rx on
>> all your customer interfaces.  If you're paranoid, start with the 'any'
>> rpf and then move to the strict rpf.  The strict rpf also helps with
>> routing loops.
>
> Be careful not to enable strict rpf on multihomed customers.  This includes
> any bgp customer unless you know for sure they are single homed to you and 
> that will not
> change.

Isn't it time to change the assumption that sending arbitrary source IP 
addresses without checking is Ok?

Unless the customer has specifically told their ISP about all the IP 
addresses they intend to use as source IP addresses, shouldn't the default 
be to drop those packets.

If those multi-homed customers have not told their upstream ISPs about 
additional source IP addresses (hopefully also registered/authorized for 
use by the same customer) why can they still send packets with those 
source addresses?  Instead shouldn't you say "Be careful if you are a 
using source IP addresses without informing your upstream."

In practice, how many multi-homed customers send packets with unannounced 
source IP addresses?  And for those customers which do, why is the ISP 
unable to implement any of the alternative source IP checking options, 
such as using a ACL with uRPF or on the interface?





More information about the NANOG mailing list