Pete Templin wrote:
Jared Mauch wrote:
On a router with full routes (ie: no default) the command
is:
Router(config-if)#ip verify unicast source reachable-via any
None of these suggestions (including the wisecrack "ACLs") provide
full filtering:
If a miscreant originates a route in bogon space, their transit
provider(s) doesn't filter their customers, and you or your
peer/transit doesn't filter their peers/transits, your router will
accept the route in bogon space and will accept the bogon packets.
Filtering has not been accomplished, and the bogon attack vector
remains open.
Rather than hoping that everyone filters their customers or that all
of my transits filter every peer, if I want to protect my network from
bogon packets, I need to ensure that my routers won't accept any
prefixes in bogon space. The Team Cymru BGP feed does NOT provide
this function; it merely provides a way to inject null routes for
bogon aggregates.
I think you misunderstand the meaning of the "ip verify unicasr source
reachable-via any" command. When a packet arrives the router will drop
it if it doesn't have a valid return path for the source. Since the
source is a bogon, and routed to Null0, then the inbound packet is dropped.
Sam
