If all you're using is BGP null routes, that's true. I would posit that BCP include Prefix filtering and ACLs as well, with dynamic updates. YMMV.
-----Original Message----- From: Chris Adams [mailto:cmadams@hiwaay.net] Sent: Monday, August 18, 2008 7:30 AM To: NANOG list Subject: Re: Is it time to abandon bogon prefix filters?
I think you misunderstand the meaning of the "ip verify unicasr source reachable-via any" command. When a packet arrives the router will drop it if it doesn't have a valid return path for the source. Since the source is a bogon, and routed to Null0, then the inbound
Once upon a time, Sam Stickland <sam_mailinglists@spacething.org> said: packet is dropped.
First, that is only true on Cisco routers (all the world is not a Cisco).
Second, you are missing the point: you have bogon route for 10/8, but rouge route for 10.1/16 (or even 10.0/9 and 10.128/9) arrives; it is more specific and your automatic bogon filter is useless.
-- Chris Adams <cmadams@hiwaay.net> Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble.