Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Bogon filtering (don't ban me either)

  • From: Jerry Pasker
  • Date: Fri Dec 03 13:44:16 2004


On Fri, 3 Dec 2004, Hank Nussbacher wrote:

 "Blocks all IANA reserved IP address blocks"

 The actual doc:

<http://niatec.info/mediacontent/cisco/media/targets/resources_mod07/7_1_2_AutoSecure.pdf>
Surprise, surprise.  The examples in that document are already out of date
and filtering as bogons perfectly good IP space ARIN is handing out to
members.

The idea of a "default static bogon filter" being made part of IOS is a
horrible idea.  It's bad enough getting the places that went to the
trouble of setting up bogon filters to update them.  If everyone had them
by default, that would likely break the Internet for signifigant numbers
of people.  How many customer routers do you have on your networks that
were installed years ago and never upgraded?  How out of date would their
default bogon filters be now?

----------------------------------------------------------------------
 Jon Lewis                   |  I route
 Senior Network Engineer     |  therefore you are
 Atlantic Net                |
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
Isn't the path to hell is paved with good intentions?

It's not the first time Cisco routes have shipped with out of date software in them, or known bugs/issues that pop up later to cause problems. ;-) Seriously, I'm not knocking Cisco, I'm just telling it like it is. If someone knows what they're doing they won't get burned on it. There are a lot of other IOS commands/options that can be turned on to screw networks up much worse. I don't fault Cisco for giving people the option. It should have a warning though, when enabled that it is out of date and will break things.

Just thinking out loud here:

If Cisco wanted to do something related to bogon filtering, they should make routes that expire/self delete after a certain date. Routes with a time to live. (NTP optional, but a set clock required to use the TTL routes).

Also, bogon lists, especially the ones that have been prepared by hand by someone so they can be cut/pasted into a router, should start with a remark line that says something along the lines of **WARNING DELETE AFTER FEB 2005! ** (Or, current date+ 4 months). I realize a lot of things can't be remarked, but any attempt to remark it, seems like it would be a good idea. Some people don't read all the stuff in the web page before they scroll down, and copy the bogon list. Some people don't heed the warnings. Some people leave their job after they put in bogons. Some people are router consultants, and never see that router again. Some people are too busy putting out fires and forget that 8 months have passed since they checked their bogons.

And some people are just stupid. ;-)

A remark could go a long way to solving/preventing the problem when the next person takes a look at the router's configuration.

The perfect solution to the bogon issue is constant diligence. Getting a route feed is a good seccond choice. The third choice is to not use bogon filters at all.

In a perfect world, those in charge of allowing routes in to the global internet wouldn't allow bogons, because they would only allow announcements that they've checked out ahead of time. And just like packet ingress filtering, it's a solution that probably won't happen any time soon.

-Jerry




Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.