[c-nsp] Bogon Filter - Least Resource/CPU intensive method?

Whisper whisper555 at gmail.com
Thu Mar 6 06:45:59 EST 2008


Thanks for all the replies, they have been very enlightning.

Are there any other methods people use to filter/block bogons?

Its always good to hear about the relative real world pros & cons of
implementing specific policy decisions.

On Thu, Mar 6, 2008 at 5:51 PM, Matt Carter <matt at iseek.com.au> wrote:

> > Which is the prefered method for blocking bogons on the Internet & why?
> Is
> > the prefered solution sometimes hardware specific?
> >
> <..>
> >
> > Up to date bogon lists can be found here:
> > http://www.cymru.com/Documents/bogon-list.html
> >
>
> A more dynamic approach would perhaps be
>
> 1) Static route some unused address space at the edge to Null0 eg
> 192.0.2.1/32 (192.0.2.0/24 is often used for this application)
> 2) eBGP peer with the team cymru bogon route server
> 3) Set ip next-hop on received prefixes to 192.0.2.1
>
> At this point traffic _to_ the bogon address space will be routed to Null
> at
> the edge and dropped
>
> 4) Apply loose RPF at the edge
>
> At this point traffic _from_ the bogon address space will fail the RPF
> check
> and be dropped
>
> This approach requires minimal config (1 line) at the edge and no ongoing
> adjustments if the bogon list changes.
>
> Is very annoying for us that people like Ebay still continue with manual
> (and very poorly maintained) bogon filter lists.
>
> --matt
>
>
>


More information about the cisco-nsp mailing list