How does inbound prefix filtering help defend against incorrect route advertisements, and what methods are commonly used?

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards
From $24.99Unlock all

Master RIPE BGP Security with our comprehensive test. Understand the Border Gateway Protocol, explore multiple choice questions, and get ready for your exam with detailed hints and explanations.

Multiple Choice

How does inbound prefix filtering help defend against incorrect route advertisements, and what methods are commonly used?

Explanation:
Inbound prefix filtering is applied to updates received from a neighbor to prevent accepting routes you shouldn’t learn. It helps defend against misconfigurations, accidental leaks, or hijacks by ensuring only desired prefixes and valid origins enter your router’s table. The common methods are: - Prefix-lists: define exactly which prefixes (and sometimes which prefix lengths) you will accept from a given neighbor. - AS_PATH filters: constrain acceptable AS paths, helping to block routes that originate from or transit through certain ASes, or to enforce expected path patterns. - RPKI-based origin validation: verify that the route origin AS is authorized for the prefix using Route Origin Authorizations; if validation fails, the update can be rejected or withdrawn. These methods are often used together to provide layered protection: you permit only known prefixes, constrain paths, and optionally add cryptographic origin validation for extra assurance. Inbound filtering does not modify BGP UPDATE messages; it simply blocks or discards those that don’t pass the filters, preventing them from being installed. It applies to both IPv4 and IPv6 in practice. Other options miss the core function: blocking outbound advertisements is not inbound filtering, changing UPDATEs to alter AS_PATH isn’t how filtering works, and limiting the technique to IPv6 ignores its applicability to IPv4 as well.

Inbound prefix filtering is applied to updates received from a neighbor to prevent accepting routes you shouldn’t learn. It helps defend against misconfigurations, accidental leaks, or hijacks by ensuring only desired prefixes and valid origins enter your router’s table.

The common methods are:

  • Prefix-lists: define exactly which prefixes (and sometimes which prefix lengths) you will accept from a given neighbor.

  • AS_PATH filters: constrain acceptable AS paths, helping to block routes that originate from or transit through certain ASes, or to enforce expected path patterns.

  • RPKI-based origin validation: verify that the route origin AS is authorized for the prefix using Route Origin Authorizations; if validation fails, the update can be rejected or withdrawn.

These methods are often used together to provide layered protection: you permit only known prefixes, constrain paths, and optionally add cryptographic origin validation for extra assurance. Inbound filtering does not modify BGP UPDATE messages; it simply blocks or discards those that don’t pass the filters, preventing them from being installed. It applies to both IPv4 and IPv6 in practice.

Other options miss the core function: blocking outbound advertisements is not inbound filtering, changing UPDATEs to alter AS_PATH isn’t how filtering works, and limiting the technique to IPv6 ignores its applicability to IPv4 as well.

More Multiple Choice Questions
Subscribe

Get the latest from Examzify

You can unsubscribe at any time. Read our privacy policy