[c-nsp] dropping traffic for RFC3330 networks

lee.e.rian at census.gov lee.e.rian at census.gov
Tue Aug 29 00:56:17 EDT 2006 

Dan Armstrong <dan at beanfield.com> wrote on 08/28/2006 09:57:02 PM:

> On a related note to this..... what are people's opinions about null
> routing vs. ACLing  bogons?

I always thought null routing was better.  ACLs may or may not be applied
in the fast path and they generate ICMP unreachables so you have to worry
about DOSing your router unless you do something like adding "no ip
unreachables" on the interface.  On the other hand, if you want to return
ICMP unreachables I think you have to use ACLs.

Lee


> Jay Ford wrote:
>
> >On Mon, 28 Aug 2006 lee.e.rian at census.gov wrote:
> >
> >
> >>Are there any routes that should be added or removed from this list?
> >>
> >>ip route 0.0.0.0       255.0.0.0     null0
> >>ip route 10.0.0.0      255.0.0.0     null0
> >>ip route 127.0.0.0     255.0.0.0     null0
> >>ip route 128.0.0.0     255.0.0.0     null0
> >>ip route 169.254.0.0   255.255.0.0   null0
> >>ip route 172.16.0.0    255.255.0.0   null0
> >>ip route 191.255.0.0   255.255.0.0   null0
> >>ip route 192.0.0.0     255.255.255.0 null0
> >>ip route 192.0.2.0     255.255.255.0 null0
> >>ip route 192.168.0.0   255.255.0.0   null0
> >>ip route 198.18.0.0    255.254.0.0   null0
> >>ip route 223.255.255.0 255.255.255.0 null0
> >>ip route 240.0.0.0     240.0.0.0     null0
> >>
> >>
> >
> >That list looks a bit broken to me.
> >
> >The "128.0.0.0 255.0.0.0" will kill many valid addresses (including
mine).
> >Perhaps it should be "128.0.0.0 255.255.0.0", so it just kills 128.0.0.0
/16?
> >
> >The "172.16.0.0 255.255.0.0" should be "172.16.0.0 255.240.0.0".
> >
> >There might be other errors.  Those are just the ones that jumped out at
me.
> >
> >________________________________________________________________________
> >Jay Ford, Network Engineering Group, Information Technology Services
> >University of Iowa, Iowa City, IA 52242
> >email: jay-ford at uiowa.edu, phone: 319-335-5555, fax: 319-335-2951
> >_______________________________________________
> >cisco-nsp mailing list  cisco-nsp at puck.nether.net
> >https://puck.nether.net/mailman/listinfo/cisco-nsp
> >archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
> >
>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list