[106929] in North American Network Operators' Group
Re: Is it time to abandon bogon prefix filters?
daemon@ATHENA.MIT.EDU (Chris Adams)
Mon Aug 18 10:30:16 2008
Date: Mon, 18 Aug 2008 09:29:52 -0500
From: Chris Adams <cmadams@hiwaay.net>
To: NANOG list <nanog@nanog.org>
Mail-Followup-To: Chris Adams <cmadams@hiwaay.net>,
NANOG list <nanog@nanog.org>
In-Reply-To: <48A9809C.1010708@spacething.org>
Errors-To: nanog-bounces@nanog.org
Once upon a time, Sam Stickland <sam_mailinglists@spacething.org> said:
> I think you misunderstand the meaning of the "ip verify unicasr source
> reachable-via any" command. When a packet arrives the router will drop
> it if it doesn't have a valid return path for the source. Since the
> source is a bogon, and routed to Null0, then the inbound packet is dropped.
First, that is only true on Cisco routers (all the world is not a
Cisco).
Second, you are missing the point: you have bogon route for 10/8, but
rouge route for 10.1/16 (or even 10.0/9 and 10.128/9) arrives; it is
more specific and your automatic bogon filter is useless.
--
Chris Adams <cmadams@hiwaay.net>
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's enough trouble.
