RE: Is it time to abandon bogon prefix filters?

["Tomas L. Byrnes" <tomb () byrneit net>]

If all you're using is BGP null routes, that's true. I would posit that
BCP include Prefix filtering and ACLs as well, with dynamic updates.
YMMV.


> -----Original Message-----
> From: Chris Adams [mailto:cmadams () hiwaay net] 
> Sent: Monday, August 18, 2008 7:30 AM
> To: NANOG list
> Subject: Re: Is it time to abandon bogon prefix filters?
>
> Once upon a time, Sam Stickland 
> <sam_mailinglists () spacething org> said:
> > I think you misunderstand the meaning of the "ip verify 
> unicasr source 
> > reachable-via any" command. When a packet arrives the 
> router will drop 
> > it if it doesn't have a valid return path for the source. Since the 
> > source is a bogon, and routed to Null0, then the inbound 
> packet is dropped.
>
> First, that is only true on Cisco routers (all the world is 
> not a Cisco).
>
> Second, you are missing the point: you have bogon route for 
> 10/8, but rouge route for 10.1/16 (or even 10.0/9 and 
> 10.128/9) arrives; it is more specific and your automatic 
> bogon filter is useless.
>
> --
> Chris Adams <cmadams () hiwaay net>
> Systems and Network Administrator - HiWAAY Internet Services 
> I don't speak for anybody but myself - that's enough trouble.