Thursday, March 16, 2006


The Many Wonders of the Static Route to Null0.

When I first saw a static route to the Null0 interface in some IOS configuration, I most certainly did not appreciate the fact that I was looking at a veritable swiss army knife in the world of networking. My first impression was that this seemed silly at best and possibly wrong. After all, why would pointing packets at a software interface that would simply discard all packets aimed at it be a good idea?

Then over a period of time as I understood the various uses that a static route to Null0 was put to, I learned to look at it with respect. In this post I will try and list some of the scenarios where I have seen a static route to Null0 being gainfully employed.

One common use of this technique is for loop prevention. Assume you have a router performing NAT translating inside local addresses to the address range - Assume further that this router has a default route pointing to the outside as would be common for a router performing NAT at the edge of the network. If an outside device were to try to ping an address (, say) from the NAT address pool when that address has not yet been assigned to a translation, the packet would end up looping until its TTL gets decremented to zero because of the default route on the NAT router. The way to avoid this would be to code in a static route for the address pool to Null0 as follows

ip route Null0

With this static route, any addresses from the NAT pool not assigned to the translation would end up hitting this static route and would be dropped thus avoiding the problem with looping packets.

Another trick very similar to the last one is used in dial-up networks. Assume an access server is assigning an address from an address pool to dial-up clients. If the access server has a default route, packets addressed to any IP addresses in the dial-up address pool not currently assigned would result in packets looping. A static route for addresses in that pool to Null0 will prevent that problem. Note that if a packet comes in destined to an address that is indeed assigned to a dialed in client, it will get routed correctly because the access server will have a host route (/32) to that address and the semantics of the longest match with IP route lookup will ensure that the host route matches rather than the less specific static route to Null0 for that case. It is only packets in the address pool that are not assigned yet that will match the static route to Null0 and get dropped.

Let's take another scenario where the static route to Null0 comes in handy. Assume that you are summarizing prefix advertisements on a router but all subnets included in the summary may not be existing yet. In that case, packets addressed to non-existent subnets of the summary can end up looping if there is a default route on the router. This is avoided by adding a static route to Null0 for the summary address. Again, for subnets that do exist, the more specific route to the subnet will be matched because of the longest-match semantics but for non-existent subnets, the static route to Null0 will be matched and the packets dropped. Protocols like EIGRP will automatically add a static route to Null0 for the summarized prefix when auto summarization is in effect for exactly this loop prevention reason.

Now for a very different application of the static route to Null0. Recall how BGP will not advertise a prefix indicated in the network statement unless there is an exact route to the prefix. However, your router may only have routes to subnets of that prefix. To get BGP to advertise that route all you need to do is to add a static route to Null0 for that exact prefix you wish to advertise. The static route gets added to the routing table and that causes BGP to now advertise that prefix. Again, because of the longest prefix match semantics packets for valid subnets in that prefix will have a more specific entry in the routing table and so will be correctly routed. Packets for subnets of that prefix that do not exist will indeed match the static route to Null0 and get dropped but then that will be the correct behavior.

One very nice application of the static route to Null0 is when one needs to redistribute between RIP and and a classless routing protocol like OSPF where the RIP and OSPF domains share addressing in the same major network but if the masks are different. In such a scenario, if you try to redistribute the OSPF routes into RIP, it will not work. For instance, if the RIP and OSPF domains have addresses in the major network but let's say RIP is using addressing while the OSPF domain is using addresses from If you simply try to redistribute the OSPF routes into RIP, you will see that RIP will not advertise the routes learned from OSPF. To get this to work, one option might be to change the mask for the OSPF domain to be /24 also but for obvious reasons that is not an easy thing to do. Instead, you could simply configure a static route to Null0 for the prefix and redistribute the static route into RIP. As usual, because there will be more specific routes for the valid subnets of 172.169.10/24, packets will be routed properly and routers from the RIP domain will be able to reach routers in the OSPF domain.

I am sure I am only scratching the surface here with the use of the static route to Null0. If you are aware of other nifty uses of this tool, please leave a comment describing the scenario.

As you mentioned, there are MANY reasons and ways to use the route to NULL0, but one 'area' you didn't mention which I feel should be mentioned is security.

Especially on a border router that maybe is acting as a firewall, but in all reality this could be used for all internal routers if you wanted.

An example on a boarder router would be to provide routes to NULL0 for all bogons ( If you don't put NULL routes in on the router, it is relatively easy to find out what networks exist on the router, or what networks it knows about based on the ICMP responses, but with a dead route, it apears to the outside world to go through. This makes gathering info about your network extremely difficult.

Also, null routes could be setup on internal routers to networks that don't exist to setup kind of a "trap" for internal attacks. This method shouldn't be the only method by any means, but augmented with other good security practices could help shed light on various issues.

Basically one would create sort of a darknet. You'd setup your router with some nifty ACL's that would send a message to the syslog server based on access to these dead routes. This will help a network admin identify the source of a system trying to access unknown networks. This would then usually be a sign of a virus/trojan, but could potentially catch an attempt at an internal hack.

Personally I've set this up on my own, and configured my syslog server to alert me when it see's this particular message. It'll receive the syslog entry, and send an alert to my email and phone (also an email address).

As you can see, the uses for NULL0 are virtually endless.
Ryan, your example is a great addition to the many uses of the route to null0. Thanks!
Da Gama Thanks for this wonderful examples for a sometimes confusing topic. I would like to link this to my blog.
Thank you very much...From the very beginning i was wondering about the uses of NULL 0 route in a BGP..Now i clearly got the point

Thanx again
the route to null0 and the NAT advise, is useless, uRPF is doing that
Thank. Very Usefull
Post a Comment

Links to this post:

Create a Link

<< Home

This page is powered by Blogger. Isn't yours?