|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Is it time to abandon bogon prefix filters?
Jared Mauch wrote: On a router with full routes (ie: no default) the command is: None of these suggestions (including the wisecrack "ACLs") provide full filtering: If a miscreant originates a route in bogon space, their transit provider(s) doesn't filter their customers, and you or your peer/transit doesn't filter their peers/transits, your router will accept the route in bogon space and will accept the bogon packets. Filtering has not been accomplished, and the bogon attack vector remains open. Rather than hoping that everyone filters their customers or that all of my transits filter every peer, if I want to protect my network from bogon packets, I need to ensure that my routers won't accept any prefixes in bogon space. The Team Cymru BGP feed does NOT provide this function; it merely provides a way to inject null routes for bogon aggregates. And no, I don't have offline configuration generators. We don't have the coding experience in-house. Oh well. pt
|