[106939] in North American Network Operators' Group
RE: Is it time to abandon bogon prefix filters?
daemon@ATHENA.MIT.EDU (Tomas L. Byrnes)
Mon Aug 18 15:28:52 2008
Date: Mon, 18 Aug 2008 12:28:44 -0700
In-Reply-To: <20080818142952.GB1302536@hiwaay.net>
From: "Tomas L. Byrnes" <tomb@byrneit.net>
To: "Chris Adams" <cmadams@hiwaay.net>,
"NANOG list" <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
If all you're using is BGP null routes, that's true. I would posit that
BCP include Prefix filtering and ACLs as well, with dynamic updates.
YMMV.
> -----Original Message-----
> From: Chris Adams [mailto:cmadams@hiwaay.net]=20
> Sent: Monday, August 18, 2008 7:30 AM
> To: NANOG list
> Subject: Re: Is it time to abandon bogon prefix filters?
>=20
> Once upon a time, Sam Stickland=20
> <sam_mailinglists@spacething.org> said:
> > I think you misunderstand the meaning of the "ip verify=20
> unicasr source=20
> > reachable-via any" command. When a packet arrives the=20
> router will drop=20
> > it if it doesn't have a valid return path for the source. Since the=20
> > source is a bogon, and routed to Null0, then the inbound=20
> packet is dropped.
>=20
> First, that is only true on Cisco routers (all the world is=20
> not a Cisco).
>=20
> Second, you are missing the point: you have bogon route for=20
> 10/8, but rouge route for 10.1/16 (or even 10.0/9 and=20
> 10.128/9) arrives; it is more specific and your automatic=20
> bogon filter is useless.
>=20
> --
> Chris Adams <cmadams@hiwaay.net>
> Systems and Network Administrator - HiWAAY Internet Services=20
> I don't speak for anybody but myself - that's enough trouble.
>=20
>=20
