[106927] in North American Network Operators' Group
Re: Is it time to abandon bogon prefix filters?
daemon@ATHENA.MIT.EDU (Sam Stickland)
Mon Aug 18 10:01:16 2008
Date: Mon, 18 Aug 2008 15:01:00 +0100
From: Sam Stickland <sam_mailinglists@spacething.org>
To: Pete Templin <petelists@templin.org>
In-Reply-To: <48A97762.1000104@templin.org>
Cc: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
Pete Templin wrote:
> Jared Mauch wrote:
>
>> On a router with full routes (ie: no default) the command
>> is:
>>
>> Router(config-if)#ip verify unicast source reachable-via any
>
> None of these suggestions (including the wisecrack "ACLs") provide
> full filtering:
>
> If a miscreant originates a route in bogon space, their transit
> provider(s) doesn't filter their customers, and you or your
> peer/transit doesn't filter their peers/transits, your router will
> accept the route in bogon space and will accept the bogon packets.
> Filtering has not been accomplished, and the bogon attack vector
> remains open.
>
> Rather than hoping that everyone filters their customers or that all
> of my transits filter every peer, if I want to protect my network from
> bogon packets, I need to ensure that my routers won't accept any
> prefixes in bogon space. The Team Cymru BGP feed does NOT provide
> this function; it merely provides a way to inject null routes for
> bogon aggregates.
I think you misunderstand the meaning of the "ip verify unicasr source
reachable-via any" command. When a packet arrives the router will drop
it if it doesn't have a valid return path for the source. Since the
source is a bogon, and routed to Null0, then the inbound packet is dropped.
Sam
