North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Is it time to abandon bogon prefix filters?

  • From: Eric Jensen
  • Date: Mon Aug 18 15:09:59 2008



Message: 3 Date: Mon, 18 Aug 2008 08:21:38 -0500 From: Pete Templin <[email protected]> Subject: Re: Is it time to abandon bogon prefix filters?

None of these suggestions (including the wisecrack "ACLs") provide full
filtering:

If a miscreant originates a route in bogon space, their transit
provider(s) doesn't filter their customers, and you or your peer/transit
doesn't filter their peers/transits, your router will accept the route
in bogon space and will accept the bogon packets.  Filtering has not
been accomplished, and the bogon attack vector remains open.

We recently expanded our network, separating our multi-homed transit network from our corporate and 'network services' LANs. We use BGP sessions between our transit and services networks to trade internal (RFC1918) routes as well as supply a default route. We do not trade external routes over these news sessions.


A happy side-effect of this is that our black-hole router, with a cymru bogon feed, now populates the corporate routing table, rather than our full transit table, and by using strict URPF all bogon traffic gets dropped (inbound), and no more-specific routes learned by the transit routers will override our BH routes.

- Eric
AS17103