Bogons are a set of well-know routes that most networks should NOT be receiving. This is general things like RFC 1918 addresses (10,x,x,x, for example) and address space that has not yet been assigned by the registries. In most cases, seeing traffic from a BOGON address means something not quite right is going on. It's relatively common to not accept Bogons prefixes being advertised to your network, and less common that Bogon traffic is filtered/blocked. 

 

Route Filtering

The RFC makes a specific recommendation regarding IPv4 & IPv6 "Special-Purpose Addresses." For both v4 & v6 it states:

The IANA IPv4 Special-Purpose Address Registry [23] maintains the list of IPv4 special-purpose prefixes and their routing scope, and it SHOULD be used for prefix-filter configuration. Prefixes with value "False" in column "Global" SHOULD be discarded on Internet BGP peerings.

http://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.xhtml

http://www.iana.org/assignments/iana-ipv6-special-registry/iana-ipv6-special-registry.xhtml

 

It goes on to suggest that it is unwise to accept prefixes that are as of yet unallocated by IANA and/or RIRs ... but if you do it you need to constantly update your lists because prefixes are assigned every day. It is particularly strong in its language saying that: "Network administrators SHOULD NOT consider solutions described in this section if they are not capable of maintaining updated prefix filters: the damage would probably be worse than the intended security policy."

It's relatively common to reject martian prefixes via a list updated by hand, since they don't change much. Folks who are filtering the entire Bogon list, including unassigned prefixes, are generally doing it via the Team Cymru service or some other automated mechanism.

 

Traffic Filtering

Actually filtering bogon/martian traffic is less common. There is little middle ground. Generally, the sites that do it perform extensive filtering and the sites that do not filter have deeply embedded feelings. Generally, filtering at end-sites, such as campuses, is less controversial. It also tends to follow a "whitelist example", with only the campus prefixes being allowed to pass the border out, rather than a "blacklist" example, with certain prefixes, like martians or bogons, being dropped.

 

 

 

General Resources

Team Cymru has a page that does good job describing Bogons. They also offer a variety of services related to martians and Bogons, up to and including a BGP peering service that will distribute up to date lists to your routers. 

http://www.team-cymru.org/bogon-reference.html

https://www.nanog.org/meetings/nanog33/presentations/deitrich.pdf


Juniper Example

JUNos has a feature, cleverly called 'Martians', that allows you to configure martian addresses that are then automatically ignored by the routing protocols when received. 

 

[edit routing-options]

user@host# set martians 240.0.0.0/4 orlonger allow

Juniper has some good documentation links on the use of their "martians" setting. A few of their articles are:

http://www.juniper.net/techpubs/en_US/junos/topics/concept/martian-addresses-understanding.html

https://www.juniper.net/documentation/en_US/junos12.3/topics/topic-map/martian-addresses.html

 

And, of course, Team Cymru has am example as well:

http://www.team-cymru.org/bgp-examples.html#juniper-trad

 

Cisco Example

Rather than duplicate content, I'm going to just link to the Team Cymru pages showing examples for Cisco using both traditional setting and using peer-groups:

http://www.team-cymru.org/bgp-examples.html#cisco-trad

http://www.team-cymru.org/bgp-examples.html#cisco-peer-trad

 

 

 

  • No labels