Many people are confused about routing security terms like “Bogons” and “Martians”, so let’s dig into what they mean, where they came from, and the difference between them.
My thoughts flash back to August 2006, at the first-ever South Asian Network Operators Group (SANOG) in Karachi, Pakistan, where I first heard the word “Bogon” from Dr. Philip Smith. I was a Junior Support Engineer at Cybernet, one of the largest Internet service providers (ISPs) in Pakistan, and so some of the concepts were new to me. Dr. Smith explained everything very well and his presentation is still available here. He gave the references of Project Cymru (now Team Cymru) and the CIDR-Report, a website started by Tony Bates and later maintained by Dr. Smith and Geoff Huston.
The definition of Bogon, I learned that day, is “Reserved, RFC1918, and Unallocated address space”.
Why is it called a Bogon?
Let’s back up for a second, though, and ask: why is it called a “Bogon” anyway? The word doesn’t exist in any English dictionary, so where did it come from? The Internet FAQ Archives had one reference, now archived, of its origin from December 2003:
Wait, what are “Vogons”? This Wikipedia post explains that they were an alien race from the planet Vogsphere in The Hitchhiker’s Guide to the Galaxy and were described as “one of the most unpleasant races in the galaxy.”
So the origin of the word Bogon is not straightforward, but it could be just a pronunciation error (Vogons –> Bogons) because to be fair, Bogons are actually the “most unpleasant address space in the Internet Routing galaxy”. I still don’t know who came up with this term first, so if you have some insight into the origin and who coined the term, please do share it with us.
What even is a Bogon?
Let’s turn back to the definition of Bogon and find out if there is any reference to it in any Request for Comments (RFCs) to get an accurate definition.
The first reference I can find is in RFC3871. The draft was proposed by George Jones in June 2003 and later became an Informational RFC in September 2004. Here is the definition:
A “Bogon” (plural: “bogons”) is a packet with an IP source address in an address block not yet allocated by IANA or the Regional Internet Registries (ARIN, RIPE, APNIC…) as well as all addresses reserved for private or special use by RFCs. See [RFC3330] and [RFC1918].
The RFC matches the definition given by Dr. Smith. Furthermore, RIPE-431 has one of the best definitions of Bogon prefixes:
What are bogon prefixes?
A bogon prefix as defined by Cymru is “a route that should never appear in the Internet routing table. A packet routed over the public Internet (not including over VPN or other tunnels) should never have a source address in a bogon range. These are commonly found as the source addresses of DDoS attacks”.
For the purpose of this how-to, a packet received on an interface of a router is considered bogon if its source address should not be routable through that interface. This definition of bogon includes “martian” addresses (as listed in RFC 1918 and RFC 3330) and unallocated addresses as explained in the next subsection. Also included are addresses from networks that are always connected to other interfaces of the router.
Unallocated addresses are blocks of public address space that have not been allocated by the IANA to the RIRs yet, but that could be allocated in the future.
Then what is a Martian?
Interestingly, there is another term in RFC3871 called “Martian”. This term was first used in RFC1208 (Glossary of Networking Terms: by Daniel Lynch and Ole Jacobsen, published in 1991). The definition was as follows:
Per [RFC1208] “Martian: Humorous term applied to packets that turn up unexpectedly on the wrong network because of bogus routing entries. Also used as a name for a packet which has an altogether bogus (non-registered or ill-formed) Internet address.” For the purposes of this document Martians are defined as “packets having a source address that, by application of the current forwarding tables, would not have its return traffic routed back to the sender.” “Spoofed packets” are a common source of martians.
Are Martians and Bogons the same thing?
RFC1208 means the word Martian predates Bogon. Was Bogon the new term for Martian, then, and the terms are interchangeable? No, they are different!
Team Cymru’s Bogon Reference, which is the best resource after RFC3871 to explain both Bogons and Martians very clearly, says the following about Bogons and Martians:
“Bogons are defined as Martians (private and reserved addresses defined by RFC 1918, RFC 5735, and RFC 6598) and netblocks that have not been allocated to a regional internet registry (RIR) by the Internet Assigned Numbers Authority.”
So, according to this definition, Bogons = Martians + Unallocated (IANA + RIRs) address space. Dave Dietrich from Team Cymru did a Bogon Tutorial at NANOG 33 in Feb 2005 that lays out the differences clearly.
Why is this still confusing?
As I said in the beginning, even after all these years and definitions, engineers still regularly confuse Bogons and Martians. Why? One possible reason could be mistakes made in reference manuals by vendors.
This is a screenshot of a Cisco-Linksys switch reference guide from 2008, and it has the option to define “Martian Addresses” with no reference to Bogons anywhere in the document.
In the ASA Firewall command reference, the word “Martian source” is used in the command output.
The earliest reference to Bogon can be found in Cisco Packet Magazine from October 2006:
“Bogon routes are known bad routes within the Internet. For example, filter out all private networks along their Internet edge, although some private networks might be allowed, through prior arrangement, at private peering points. Address space reserved for research projects, or multicast use, and address space known not to be allocated to anyone, are also bogons, and generally should not pass-through administrative domain boundaries.”
However, the word Bogon is not referenced in any command reference guide like “Martian” on any of the Cisco platforms (at least I didn’t find any after multiple searches).
Just like Cisco-Linksys, there is a keyword “martian” in JunOS.
And following IPv4 and IPv6 address blocks are included by default.
The definition of Martian is also here:
Martian addresses are host or network addresses about which all routing information is ignored. When received by the routing device, these routes are ignored. They commonly are sent by improperly configured systems on the network and have destination addresses that are obviously invalid.
Even though the JunOS manual from 2005 very clearly explains “Martian vs Bogon”.
Neither Juniper nor Cisco should be blamed for this at all, but most likely using “Martian” as a keyword in the command line has created some confusion for network engineers over the years.
What about Bogon ASNs?
Unfortunately, the situation of Bogon ASNs is much worse than bogon prefixes. According to CIDR-Report data, on any given day there are around 500 unallocated or reserved ASNs in the global routing table. The definition of Bogon ASN is the same as Bogon prefixes: an ASN should be termed as Bogon if any of the following conditions is true:
- It is reserved for special use by an RFC (as per the table below), OR
- It is not part of the block assigned to an RIR by IANA, OR
- It is not assigned to an LIR by any RIR.
|AS Number/Range||Status||RFC Reference|
|0||Reserved (can’t be use in BGP)||RFC7607|
|64496-64511||Reserved for use in docs and code||RFC5398|
|64512-65534||Reserved for Private Use||RFC6996|
|65536-65551||Reserved for use in docs and code||RFC5398|
|4200000000-4294967294||Reserved for Private Use||RFC6996|
There should be no room left for any ambiguity about the definitions of Bogon and Martian.
Remember the definition from high school chemistry?
“All alkalis are bases but not all bases are alkalis.”
Similarly, all Martians are Bogons, but not all Bogons are Martians.