04-03-2009 03:29 PM - edited 03-04-2019 04:14 AM
Dear Friends,
While trying to understand the configs of an Internet Edge router, i came across 20-25 static routes of public networks pointing to Null interfaces. Please find below these static routes.
ip route 1.0.0.0 255.0.0.0 Null0
ip route 2.0.0.0 255.0.0.0 Null0
ip route 5.0.0.0 255.0.0.0 Null0
ip route 10.0.0.0 255.0.0.0 Null0
ip route 14.0.0.0 255.0.0.0 Null0
ip route 23.0.0.0 255.0.0.0 Null0
ip route 27.0.0.0 255.0.0.0 Null0
ip route 31.0.0.0 255.0.0.0 Null0
ip route 36.0.0.0 255.0.0.0 Null0
ip route 37.0.0.0 255.0.0.0 Null0
ip route 39.0.0.0 255.0.0.0 Null0
ip route 42.0.0.0 255.0.0.0 Null0
ip route 46.0.0.0 255.0.0.0 Null0
ip route 49.0.0.0 255.0.0.0 Null0
ip route 50.0.0.0 255.0.0.0 Null0
ip route <Local Public Segment> 255.255.248.0 Null0
ip route 100.0.0.0 255.0.0.0 Null0
ip route 101.0.0.0 255.0.0.0 Null0
ip route 102.0.0.0 255.0.0.0 Null0
ip route 103.0.0.0 255.0.0.0 Null0
ip route 104.0.0.0 255.0.0.0 Null0
ip route 105.0.0.0 255.0.0.0 Null0
ip route 106.0.0.0 255.0.0.0 Null0
ip route 107.0.0.0 255.0.0.0 Null0
ip route 127.0.0.0 255.0.0.0 Null0
ip route 169.254.0.0 255.255.0.0 Null0
ip route 172.16.0.0 255.240.0.0 Null0
ip route 175.0.0.0 255.0.0.0 Null0
ip route 176.0.0.0 255.0.0.0 Null0
ip route 177.0.0.0 255.0.0.0 Null0
ip route 179.0.0.0 255.0.0.0 Null0
ip route 180.0.0.0 255.0.0.0 Null0
ip route 181.0.0.0 255.0.0.0 Null0
ip route 182.0.0.0 255.0.0.0 Null0
ip route 183.0.0.0 255.0.0.0 Null0
ip route 185.0.0.0 255.0.0.0 Null0
ip route 192.0.2.0 255.255.255.0 Null0
ip route 192.168.0.0 255.255.0.0 Null0
ip route 198.18.0.0 255.254.0.0 Null0
ip route 223.0.0.0 255.0.0.0 Null0
The Internet edge router is also BGP peering with the ISP router and is allowing only the default route to come into it from the ISP.
Any idea on the reason behind why these statics were configured?
Thanks a lot
Gautam
Solved! Go to Solution.
04-03-2009 03:44 PM
Yes.
BGP will not advertise a prefix if it does not already exist in the IGP RIB. This is part of its synchronization rule. The idea is that when it receives traffic for the network it is going to advertise, its internal routers will know how to route it.
[EDIT] I should have mentioned that these addresses are known as bogons and should never be advertised to the Internet.
These static routes, Im sure, are part of a bogon filter. [EDIT]
Can you post the entire router configuration?
HTH
Victor
04-06-2009 11:45 AM
Hello Gautam,
these static routes to null0 are probably used for security reasons on the border router.
if from inside your network a worm tries to contact one of these addresses the packet is silently discarded using the null0 waste bin.
It is a way to ensure that from inside your network are not sent to the internet packets with any of these unused address blocks (I've checked a few on a looking glass they are unused and with a community no-export associated to a private AS number in a more complex ISP level scenario).
It is more efficient that using an outbound acl on the wan interface for example.
Edit:
I suggest to keep the static routes at their place they do a security job avoiding to have packets with a source address within your organization with this unused address block destination to go to the internet.
It is better then being called from your upstream ISPs.
Hope to help
Giuseppe
04-03-2009 03:44 PM
Yes.
BGP will not advertise a prefix if it does not already exist in the IGP RIB. This is part of its synchronization rule. The idea is that when it receives traffic for the network it is going to advertise, its internal routers will know how to route it.
[EDIT] I should have mentioned that these addresses are known as bogons and should never be advertised to the Internet.
These static routes, Im sure, are part of a bogon filter. [EDIT]
Can you post the entire router configuration?
HTH
Victor
04-04-2009 03:00 AM
Hi,
I am wondering why do you need such static routes? does all those Network belong to a single Autonomous system? and you are actually black holing all traffic destined for those Networks.
HTH
Mohamed
04-06-2009 11:00 AM
remove these routes.
As stated these are bogons and should be only added to an acl to deny any these routes being advertised to you.
Here is what I have on my router for your reference:
router bgp 65001
neighbor 201.AAA.BBB.130 route-map IN in
!
ip prefix-list IN seq 5 deny 0.0.0.0/8 le 32
ip prefix-list IN seq 10 deny 1.0.0.0/8 le 32
ip prefix-list IN seq 15 deny 2.0.0.0/8 le 32
ip prefix-list IN seq 20 deny 5.0.0.0/8 le 32
ip prefix-list IN seq 30 deny 10.0.0.0/8 le 32
ip prefix-list IN seq 32 deny 14.0.0.0/8 le 32
ip prefix-list IN seq 35 deny 23.0.0.0/8 le 32
ip prefix-list IN seq 40 deny 27.0.0.0/8 le 32
ip prefix-list IN seq 45 deny 31.0.0.0/8 le 32
ip prefix-list IN seq 50 deny 36.0.0.0/8 le 32
ip prefix-list IN seq 55 deny 37.0.0.0/8 le 32
ip prefix-list IN seq 60 deny 39.0.0.0/8 le 32
ip prefix-list IN seq 70 deny 42.0.0.0/8 le 32
ip prefix-list IN seq 75 deny 46.0.0.0/8 le 32
ip prefix-list IN seq 80 deny 49.0.0.0/8 le 32
ip prefix-list IN seq 85 deny 50.0.0.0/8 le 32
ip prefix-list IN seq 255 deny 100.0.0.0/8 le 32
ip prefix-list IN seq 260 deny 101.0.0.0/8 le 32
ip prefix-list IN seq 265 deny 102.0.0.0/8 le 32
ip prefix-list IN seq 270 deny 103.0.0.0/8 le 32
ip prefix-list IN seq 275 deny 104.0.0.0/8 le 32
ip prefix-list IN seq 280 deny 105.0.0.0/8 le 32
ip prefix-list IN seq 285 deny 106.0.0.0/8 le 32
ip prefix-list IN seq 290 deny 107.0.0.0/8 le 32
ip prefix-list IN seq 390 deny 127.0.0.0/8 le 32
ip prefix-list IN seq 395 deny 169.254.0.0/16 le 32
ip prefix-list IN seq 400 deny 172.16.0.0/12 le 32
ip prefix-list IN seq 415 deny 175.0.0.0/8 le 32
ip prefix-list IN seq 420 deny 176.0.0.0/8 le 32
ip prefix-list IN seq 425 deny 177.0.0.0/8 le 32
ip prefix-list IN seq 435 deny 179.0.0.0/8 le 32
ip prefix-list IN seq 440 deny 180.0.0.0/8 le 32
ip prefix-list IN seq 445 deny 181.0.0.0/8 le 32
ip prefix-list IN seq 450 deny 182.0.0.0/8 le 32
ip prefix-list IN seq 455 deny 183.0.0.0/8 le 32
ip prefix-list IN seq 465 deny 185.0.0.0/8 le 32
ip prefix-list IN seq 490 deny 192.0.2.0/24 le 32
ip prefix-list IN seq 500 deny 192.168.0.0/16 le 32
ip prefix-list IN seq 512 deny 198.18.0.0/15 le 32
ip prefix-list IN seq 515 deny 223.0.0.0/8 le 32
ip prefix-list IN seq 520 deny 224.0.0.0/3 le 32
!
route-map IN permit 20
match ip address prefix-list IN
!
04-06-2009 11:45 AM
Hello Gautam,
these static routes to null0 are probably used for security reasons on the border router.
if from inside your network a worm tries to contact one of these addresses the packet is silently discarded using the null0 waste bin.
It is a way to ensure that from inside your network are not sent to the internet packets with any of these unused address blocks (I've checked a few on a looking glass they are unused and with a community no-export associated to a private AS number in a more complex ISP level scenario).
It is more efficient that using an outbound acl on the wan interface for example.
Edit:
I suggest to keep the static routes at their place they do a security job avoiding to have packets with a source address within your organization with this unused address block destination to go to the internet.
It is better then being called from your upstream ISPs.
Hope to help
Giuseppe
04-07-2009 07:38 AM
Dear friends,
Thanks a lot for your kind responses.
Sorry for not being able to answer to any of your posts earlier.
The bgp config is as follows:
router bgp 47901
no synchronization
bgp router-id 94.125.x.x
bgp log-neighbor-changes
network x.x.x.x mask 255.255.255.248
network x.x.x.x mask 255.255.255.248
neighbor 78.100.38.41 prefix-list allow-default in
neighbor 78.100.38.41 route-map localpref-qtellink2 in
no auto-summary
ip prefix-list allow-default seq 5 permit 0.0.0.0/0
ip prefix-list allow-default seq 10 deny 0.0.0.0/0 le 32
I believe that we are already doing enough filtering to allow only default routes in from the ISP.
However as Giuseppe said, it will be good to prevent internal attacks from happening.
Thanks a lot
Gautam
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: