[c-nsp] Bogon Filter - Least Resource/CPU intensive method?

Justin Shore justin at justinshore.com
Thu Mar 6 09:31:32 EST 2008


Personally I'm still using ACLs on my border routers.  At this point in 
time I want the ACE hit counters for those rogue packets.  ACLs of 
course consume more resources but it gives me what I want.  I do ingress 
and egress and I update my ACLs within a few days of IANA announcing the 
allocation change.  It has to be manually changed in a lot of other 
places too so this doesn't exactly add overhead to the process IMHO.

If I didn't want the ACE counters I would definitely null route the 
traffic.  That's much cleaner and less processor intensive.  Prior to a 
couple months ago when I set up my RTBH system I would have had 51 null 
routes for each of the BOGONs, RFC 1918, and RFC 3330 networks on all of 
my border routers.  Now, with the RTBH system I simply add the route in 
a single place on my network (my RTBH trigger router) and all my iBGP 
speakers will learn it in seconds, directing packets to null.  This is 
what Matt was talking about.  It's a basic RTBH setup only he's using 
Cymru as the trigger router instead of originating the bogons routes 
locally.  I can give you some config if you need.  You can also find a 
couple good examples and a detailed explanation in the Router Security 
Strategies book and a lot of info online.

Justin

Whisper wrote:
> Thanks for all the replies, they have been very enlightning.
> 
> Are there any other methods people use to filter/block bogons?
> 
> Its always good to hear about the relative real world pros & cons of
> implementing specific policy decisions.
> 
> On Thu, Mar 6, 2008 at 5:51 PM, Matt Carter <matt at iseek.com.au> wrote:
> 
>>> Which is the prefered method for blocking bogons on the Internet & why?
>> Is
>>> the prefered solution sometimes hardware specific?
>>>
>> <..>
>>> Up to date bogon lists can be found here:
>>> http://www.cymru.com/Documents/bogon-list.html
>>>
>> A more dynamic approach would perhaps be
>>
>> 1) Static route some unused address space at the edge to Null0 eg
>> 192.0.2.1/32 (192.0.2.0/24 is often used for this application)
>> 2) eBGP peer with the team cymru bogon route server
>> 3) Set ip next-hop on received prefixes to 192.0.2.1
>>
>> At this point traffic _to_ the bogon address space will be routed to Null
>> at
>> the edge and dropped
>>
>> 4) Apply loose RPF at the edge
>>
>> At this point traffic _from_ the bogon address space will fail the RPF
>> check
>> and be dropped
>>
>> This approach requires minimal config (1 line) at the edge and no ongoing
>> adjustments if the bogon list changes.
>>
>> Is very annoying for us that people like Ebay still continue with manual
>> (and very poorly maintained) bogon filter lists.
>>
>> --matt
>>
>>
>>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
> 


More information about the cisco-nsp mailing list