nanog mailing list archives

Re: Is it time to abandon bogon prefix filters?

From: Danny McPherson <danny () tcb net>
Date: Mon, 18 Aug 2008 13:29:06 -0600


On Aug 18, 2008, at 6:33 AM, Jared Mauch wrote:


        On a router with full routes (ie: no default) the command
is:

Router(config-if)#ip verify unicast source reachable-via any

        Go ahead and try it out.  you can view the resulting
drop counter via the 'show ip int <x/y>' command.

        While you're at it, you also placed the reachable-via rx on

all your customer interfaces. If you're paranoid, start with the'any'

rpf and then move to the strict rpf.  The strict rpf also helps with
routing loops.


That's a good point.  My problem with "loose mode" RPF is
that it subjects a packet's source address to ANY FIB entry
existence only mitigates spoofing of non-routed ranges.

All the interesting attacks today that employ spoofing (and the
majority of the less-interesting ones that employ spoofing) are
usually relying on existence of the source as part of the attack
vector (e.g., DNS cache poisoning, BGP TCP RST attacks,
DNS reflective amplification attacks, etc..), and as a result, loose
mode gives folks a false sense of protection/action.

-danny

Current thread:

RE: Is it time to abandon bogon prefix filters?, (continued)
- - - RE: Is it time to abandon bogon prefix filters? Tomas L. Byrnes (Aug 16)
    - Re: Is it time to abandon bogon prefix filters? Pete Templin (Aug 17)
    - RE: Is it time to abandon bogon prefix filters? Tomas L. Byrnes (Aug 17)
    - RE: Is it time to abandon bogon prefix filters? michael.dillon (Aug 18)
    - Re: Is it time to abandon bogon prefix filters? Jared Mauch (Aug 18)
    - Re: Is it time to abandon bogon prefix filters? Pete Templin (Aug 18)
    - Re: Is it time to abandon bogon prefix filters? Sam Stickland (Aug 18)
    - Re: Is it time to abandon bogon prefix filters? Nathan Ward (Aug 18)
    - Re: Is it time to abandon bogon prefix filters? Chris Adams (Aug 18)
    - RE: Is it time to abandon bogon prefix filters? Tomas L. Byrnes (Aug 18)
    - Re: Is it time to abandon bogon prefix filters? Danny McPherson (Aug 18)
    - Re: Is it time to abandon bogon prefix filters? Sean Donelan (Aug 21)
    - RE: Is it time to abandon bogon prefix filters? Tomas L. Byrnes (Aug 24)
    - Re: Is it time to abandon bogon prefix filters? Valdis . Kletnieks (Aug 25)
    - Re: Is it time to abandon bogon prefix filters? Chris Marlatt (Aug 25)
    - Re: Is it time to abandon bogon prefix filters? Valdis . Kletnieks (Aug 25)
    - RE: Is it time to abandon bogon prefix filters? Sean Donelan (Aug 26)
    - Re: Is it time to abandon bogon prefix filters? Kevin Loch (Aug 19)
    - Re: Is it time to abandon bogon prefix filters? Pekka Savola (Aug 19)
    - Re: Is it time to abandon bogon prefix filters? Kevin Loch (Aug 20)
    - Re: Is it time to abandon bogon prefix filters? Jo Rhett (Aug 21)

(Thread continues...)