Date: Mon, 18 Aug 2008 08:21:38 -0500
From: Pete Templin <firstname.lastname@example.org>
Subject: Re: Is it time to abandon bogon prefix filters?
None of these suggestions (including the wisecrack "ACLs") provide full
If a miscreant originates a route in bogon space, their transit
provider(s) doesn't filter their customers, and you or your peer/transit
doesn't filter their peers/transits, your router will accept the route
in bogon space and will accept the bogon packets. Filtering has not
been accomplished, and the bogon attack vector remains open.
We recently expanded our network, separating our multi-homed transit network from our corporate and 'network services' LANs. We use BGP sessions between our transit and services networks to trade internal (RFC1918) routes as well as supply a default route. We do not trade external routes over these news sessions.
A happy side-effect of this is that our black-hole router, with a cymru bogon feed, now populates the corporate routing table, rather than our full transit table, and by using strict URPF all bogon traffic gets dropped (inbound), and no more-specific routes learned by the transit routers will override our BH routes.