Currently we are blocking bogon advertisements
by using a prefix-list which we are updating manually. The problem with
this approach is that whenever an address block is delegated by IANA to a RIR this list has to be updated manually. According to Team Cymru there is an easy fix for this problem and that's peering with there bogon route server.
In theory this looks like a nice solution to the problem, a centralized
organ making sure the lists are up-to-date and spreaded to connected
participants within a minute. However I was thinking about this today
and there is a tiny glitch. And that is "what about more-specifics?". The
bogon route server project makes sure you don't get another route
matching the exact prefix, but a more-specific route will be accepted
by your bgp process and nicely inserted in your routing table. So it
looks like this approach only has very very little effect.
Some people use the argument that with the route set in your routing
table packets destined for these locations will be blackholed, however
in the DFZ you will never have these routes for starters so they
already will be blackholed. And if they do appear they'll be routed to
that destination, but that will also occur if we use the cymru bogon
server (but only in the situation where this means more-specific
routes).
The case that a more-specific bogon is announced is more common then
that an entire /8 network is announced, so I think the bogon server is
absolutely no solution for this problem, unless they are going to
announce it in de-aggregates of say /27 it has some effect.
To explain this a little more, let's take the following example:
CYMRU = remote router, OUR = our router.
CYMRU announces 2.0.0.0/8 tagged with their bogon community 65333:888
OUR sees the community and rewrites the nexthop to our blackhole IP.
OTHER announces 2.0.1.0/24
OUR sees the route, and enters it in the routing table with OUR's nexthop.
And voila bogons are happily traveling trough the network. Unless my understanding of the route-map is not 100%, this
effectively shows that the CYMRU approach has no use whatsoever and
static prefix-lists are the way to go.
This Post
You are reading Bogon filtering using BGP bogon route servers, posted by on 03 Dec '04 -22:58.
Calendar
| « | November 2008 | |||||
|---|---|---|---|---|---|---|
| S | M | T | W | T | F | S |
| 1 | ||||||
| 2 | 3 | 4 | 5 | 6 | 7 | 8 |
| 9 | 10 | 11 | 12 | 13 | 14 | 15 |
| 16 | 17 | 18 | 19 | 20 | 21 | 22 |
| 23 | 24 | 25 | 26 | 27 | 28 | 29 |
| 30 | ||||||
Personal
Here I expunge my toughts about technology and other stuff, but also publish some documents I have written. Enjoy!
Recent Comments
mark (PaiQ): If you happen to have an invitation for a male… ple…Styl1n (Why Mac OS X suck…): Some good points made and some bad m’thinks. I agr…
Erik Schlytter-He… (DNS Priority Load…): How about adding multiple entries in DNS for the bo…
Alrayyes (PaiQ): Greetings, if you have one left, could you send me…
Dave (Why Mac OS X suck…): I didn’t even bother to read what you wrote, but th…
darwin (Why Mac OS X suck…): just as a sidenote the x for mac os x is just a swi…
peter (PaiQ): hi, i’ve heard about paiq. if you have an invitatio…
pinru (Why Mac OS X suck…): Is there somewhere a MacChurch? Why anytime one dis…
Kirsten (New server!): MAAR DE NAAM SUCKS BIG TIME! zo
bART (Blogging): hi … what’s wrong with tooske???
Archives
Sep 2002
Dec 2002
Jan 2003
Jun 2003
Jan 2004
Feb 2004
Mar 2004
Apr 2004
May 2004
Jun 2004
Jul 2004
Aug 2004
Sep 2004
Oct 2004
Nov 2004
Dec 2004
Jan 2005
Feb 2005
Mar 2005
Apr 2005
May 2005
Jun 2005
Jul 2005
Aug 2005
Sep 2005
Oct 2005
Dec 2005
Jan 2006
Feb 2006
Mar 2006
Apr 2006
May 2006
Jun 2006
Jul 2006
Sep 2006
Oct 2006
Nov 2006
Dec 2006
Feb 2007
Jan 2008
Counter
We don't need no counters :)
Stuff
Hazelnut is template written by Lorenzo Ferrara. It is a modified version of Marco van Hylckama Vlieg's "The Writer" template.
Icons by Kevin Wetzels
© 2005
Sam () (URL) - 19 December '05 - 19:18