Joe Abley wrote:
They're no good for filtering long prefix bogons announced to you by peers, though, and if you accept those then traffic with bogon destinations can follow them regardless of any cymru-fed covering routes with null next-hops.
If these statements are woefully out-of-date, where have I been, get with the programme, etc then someone should spell out precisely what fancy modern router policy knobs they are turning to get the desired result. While you're doing that I'll just nod wisely and mutter things about "yeah, I was just pretending not to know that stuff, because I was making a point. Yeah, that's it. You're all so lucky I'm here." And things of that nature.
I can't think of a silver-bullet off the top of my head that would achieve this, but I'm sure you could achieve something through gratuitous policy and possibly RIB filters as well. That said, you can neatly use it to automagically uRPF-based blackhole for ingress/egress packet filtering. That helps a lot, but as you point out, if you had received a BGP route for a more specific bogon you may be in trouble. You could use the session to build your own filters/ACLs every time it changes, which is what some people do (and what the Cymru page suggests)... aj.