[106940] in North American Network Operators' Group
Re: Is it time to abandon bogon prefix filters?
daemon@ATHENA.MIT.EDU (Danny McPherson)
Mon Aug 18 15:30:46 2008
From: Danny McPherson <danny@tcb.net>
To: NANOG list <nanog@nanog.org>
In-Reply-To: <20080818123308.GA47385@puck.nether.net>
Date: Mon, 18 Aug 2008 13:29:06 -0600
Errors-To: nanog-bounces@nanog.org
On Aug 18, 2008, at 6:33 AM, Jared Mauch wrote:
>
> On a router with full routes (ie: no default) the command
> is:
>
> Router(config-if)#ip verify unicast source reachable-via any
>
> Go ahead and try it out. you can view the resulting
> drop counter via the 'show ip int <x/y>' command.
>
> While you're at it, you also placed the reachable-via rx on
> all your customer interfaces. If you're paranoid, start with the
> 'any'
> rpf and then move to the strict rpf. The strict rpf also helps with
> routing loops.
That's a good point. My problem with "loose mode" RPF is
that it subjects a packet's source address to ANY FIB entry
existence only mitigates spoofing of non-routed ranges.
All the interesting attacks today that employ spoofing (and the
majority of the less-interesting ones that employ spoofing) are
usually relying on existence of the source as part of the attack
vector (e.g., DNS cache poisoning, BGP TCP RST attacks,
DNS reflective amplification attacks, etc..), and as a result, loose
mode gives folks a false sense of protection/action.
-danny
