BOGON Filtering

Unanswered Question
Jan 12th, 2008

Hi All,


I am currently viewing the configuration of my two ISP connections.


I am trying to find the best practise for filtering BOGONS.


We are currently filtering them using an in-bound access-list applied to the ISP facing interfaces.


Would I be correct in saying that it would be more efficient not to utlise access-lists and instead route the networks to NUll0 with 'No ICMP Redirects'?


Thanks,


Peter.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
mwall1 Sun, 01/13/2008 - 07:16

Hi Peter,


Based on Rob Thomas' Secure BGP template ( http://www.cymru.com/Documents/secure-bgp-template.html ), here is how they recommend doing it:



! The bogons prefix list prevents the acceptance of obviously bogus

! routing updates. This can be modified to fit local requirements.

! While aggregation is possible - certainly desirable - IANA tends

! to allocate netblocks on a /8 boundary. For this reason, I have

! listed the bogons largely as /8 netblocks. This will make changes

! to the bogons prefix-list easier to accomplish and less intrusive.

! I have listed more specific netblocks when documentation, such as

! RFC1918, is more granular.

! Please see the IANA IPv4 netblock assignment document at the

! following URL:

! http://www.iana.org/assignments/ipv4-address-space

ip prefix-list bogons description Bogon networks we won't accept.

ip prefix-list bogons seq 5 deny 0.0.0.0/8 le 32

ip prefix-list bogons seq 10 deny 1.0.0.0/8 le 32

ip prefix-list bogons seq 15 deny 2.0.0.0/8 le 32

ip prefix-list bogons seq 20 deny 5.0.0.0/8 le 32

ip prefix-list bogons seq 30 deny 10.0.0.0/8 le 32

ip prefix-list bogons seq 35 deny 23.0.0.0/8 le 32

ip prefix-list bogons seq 40 deny 27.0.0.0/8 le 32

ip prefix-list bogons seq 45 deny 31.0.0.0/8 le 32

ip prefix-list bogons seq 50 deny 36.0.0.0/8 le 32

ip prefix-list bogons seq 55 deny 37.0.0.0/8 le 32

ip prefix-list bogons seq 60 deny 39.0.0.0/8 le 32

ip prefix-list bogons seq 70 deny 42.0.0.0/8 le 32

ip prefix-list bogons seq 75 deny 46.0.0.0/8 le 32

ip prefix-list bogons seq 80 deny 49.0.0.0/8 le 32

ip prefix-list bogons seq 85 deny 50.0.0.0/8 le 32

ip prefix-list bogons seq 255 deny 100.0.0.0/8 le 32

ip prefix-list bogons seq 260 deny 101.0.0.0/8 le 32

ip prefix-list bogons seq 265 deny 102.0.0.0/8 le 32

ip prefix-list bogons seq 270 deny 103.0.0.0/8 le 32

ip prefix-list bogons seq 275 deny 104.0.0.0/8 le 32

ip prefix-list bogons seq 280 deny 105.0.0.0/8 le 32

ip prefix-list bogons seq 285 deny 106.0.0.0/8 le 32

ip prefix-list bogons seq 290 deny 107.0.0.0/8 le 32

ip prefix-list bogons seq 295 deny 108.0.0.0/8 le 32

ip prefix-list bogons seq 300 deny 109.0.0.0/8 le 32

ip prefix-list bogons seq 305 deny 110.0.0.0/8 le 32

ip prefix-list bogons seq 310 deny 111.0.0.0/8 le 32

ip prefix-list bogons seq 315 deny 112.0.0.0/8 le 32

ip prefix-list bogons seq 320 deny 113.0.0.0/8 le 32

ip prefix-list bogons seq 390 deny 127.0.0.0/8 le 32

ip prefix-list bogons seq 395 deny 169.254.0.0/16 le 32

ip prefix-list bogons seq 400 deny 172.16.0.0/12 le 32

ip prefix-list bogons seq 405 deny 173.0.0.0/8 le 32

ip prefix-list bogons seq 410 deny 174.0.0.0/8 le 32

ip prefix-list bogons seq 415 deny 175.0.0.0/8 le 32

ip prefix-list bogons seq 420 deny 176.0.0.0/8 le 32

ip prefix-list bogons seq 425 deny 177.0.0.0/8 le 32

ip prefix-list bogons seq 430 deny 178.0.0.0/8 le 32

ip prefix-list bogons seq 435 deny 179.0.0.0/8 le 32

ip prefix-list bogons seq 440 deny 180.0.0.0/8 le 32

ip prefix-list bogons seq 445 deny 181.0.0.0/8 le 32

ip prefix-list bogons seq 450 deny 182.0.0.0/8 le 32

ip prefix-list bogons seq 455 deny 183.0.0.0/8 le 32

ip prefix-list bogons seq 460 deny 184.0.0.0/8 le 32

ip prefix-list bogons seq 465 deny 185.0.0.0/8 le 32

ip prefix-list bogons seq 490 deny 192.0.2.0/24 le 32

ip prefix-list bogons seq 500 deny 192.168.0.0/16 le 32

ip prefix-list bogons seq 510 deny 197.0.0.0/8 le 32

ip prefix-list bogons seq 512 deny 198.18.0.0/15 le 32

ip prefix-list bogons seq 515 deny 223.0.0.0/8 le 32

ip prefix-list bogons seq 520 deny 224.0.0.0/3 le 32

! Allow all prefixes up to /27. Your mileage may vary,

! so adjust this to fit your specific requirements.

ip prefix-list bogons seq 525 permit 0.0.0.0/0 le 27


HTH,


Mike

Danilo Dy Mon, 01/14/2008 - 07:24

Hi,


I think the 3 implementation of BOGONS though they compliment they addressess different issue.


1. ACL

Take note that BOGON in the ACL includes your own network (claims it came from the inside network, yet arrives on the outside interface - unless you configure CEF totake care of spoofing). Blocking BOGONS using ACL also frees up CPU processing from your router, instead of processing incoming connections from BOGONS, router will drop it immediately.

2. NULL

Take note that this includes your prefix (Remember to add more specific non-null routes so that the packets travel to their intended destination). This frees up also CPU processing from your router, some host/s inside your domain may accidentally/intentionally initiate connection to BOGONS. instead of processing them, the router will just route it to NULL.

3. Finally BGP

This avoid injecting BOGONS into the routing table. Frees up memory as well.


Regards,

Dandy

mwall1 Mon, 01/14/2008 - 09:42

Dandy,


How many Null routes are recommended (You should specify your ip ranges as well as other private spaces?)


How do you specify non-null routes?


Thanks,


Mike

Danilo Dy Mon, 01/14/2008 - 17:43

Hi,


Just for the sake of discussion, for example you have the network 192.168.16.0.0/16. Your route it to NULL as "ip route 192.168.0.0 255.255.0.0 NULL". Then you should have a more preferred route like "192.168.1.0 255.255.255.0 gateway_ip_address"


So that IP Address within 192.168.0.0/16 that is not currently assigned or routed, when the router received a connection to them, it will route it to NULL. This is very useful specially for those who are trying to map your network.


Regards,

Dandy

Actions

This Discussion