|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical RE: Is it time to abandon bogon prefix filters?
If all you're using is BGP null routes, that's true. I would posit that BCP include Prefix filtering and ACLs as well, with dynamic updates. YMMV. > -----Original Message----- > From: Chris Adams [mailto:[email protected]] > Sent: Monday, August 18, 2008 7:30 AM > To: NANOG list > Subject: Re: Is it time to abandon bogon prefix filters? > > Once upon a time, Sam Stickland > <[email protected]> said: > > I think you misunderstand the meaning of the "ip verify > unicasr source > > reachable-via any" command. When a packet arrives the > router will drop > > it if it doesn't have a valid return path for the source. Since the > > source is a bogon, and routed to Null0, then the inbound > packet is dropped. > > First, that is only true on Cisco routers (all the world is > not a Cisco). > > Second, you are missing the point: you have bogon route for > 10/8, but rouge route for 10.1/16 (or even 10.0/9 and > 10.128/9) arrives; it is more specific and your automatic > bogon filter is useless. > > -- > Chris Adams <[email protected]> > Systems and Network Administrator - HiWAAY Internet Services > I don't speak for anybody but myself - that's enough trouble. > >
|