Jared Mauch wrote:
On a router with full routes (ie: no default) the command is:
Router(config-if)#ip verify unicast source reachable-via any
None of these suggestions (including the wisecrack "ACLs") provide full filtering:
If a miscreant originates a route in bogon space, their transit provider(s) doesn't filter their customers, and you or your peer/transit doesn't filter their peers/transits, your router will accept the route in bogon space and will accept the bogon packets. Filtering has not been accomplished, and the bogon attack vector remains open.
Rather than hoping that everyone filters their customers or that all of my transits filter every peer, if I want to protect my network from bogon packets, I need to ensure that my routers won't accept any prefixes in bogon space. The Team Cymru BGP feed does NOT provide this function; it merely provides a way to inject null routes for bogon aggregates. I think you misunderstand the meaning of the "ip verify unicasr source reachable-via any" command. When a packet arrives the router will drop it if it doesn't have a valid return path for the source. Since the
Pete Templin wrote: source is a bogon, and routed to Null0, then the inbound packet is dropped. Sam