|
North American Network Operators Group
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Historical
Re: Bogon filtering (don't ban me either)
- From: Jerry Pasker
- Date: Fri Dec 03 13:44:16 2004
On Fri, 3 Dec 2004, Hank Nussbacher wrote:
"Blocks all IANA reserved IP address blocks"
The actual doc:
<http://niatec.info/mediacontent/cisco/media/targets/resources_mod07/7_1_2_AutoSecure.pdf>
Surprise, surprise. The examples in that document are already out of date
and filtering as bogons perfectly good IP space ARIN is handing out to
members.
The idea of a "default static bogon filter" being made part of IOS is a
horrible idea. It's bad enough getting the places that went to the
trouble of setting up bogon filters to update them. If everyone had them
by default, that would likely break the Internet for signifigant numbers
of people. How many customer routers do you have on your networks that
were installed years ago and never upgraded? How out of date would their
default bogon filters be now?
----------------------------------------------------------------------
Jon Lewis | I route
Senior Network Engineer | therefore you are
Atlantic Net |
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
Isn't the path to hell is paved with good intentions?
It's not the first time Cisco routes have shipped with out of date
software in them, or known bugs/issues that pop up later to cause
problems. ;-) Seriously, I'm not knocking Cisco, I'm just telling
it like it is. If someone knows what they're doing they won't get
burned on it. There are a lot of other IOS commands/options that can
be turned on to screw networks up much worse. I don't fault Cisco
for giving people the option. It should have a warning though, when
enabled that it is out of date and will break things.
Just thinking out loud here:
If Cisco wanted to do something related to bogon filtering, they
should make routes that expire/self delete after a certain date.
Routes with a time to live. (NTP optional, but a set clock required
to use the TTL routes).
Also, bogon lists, especially the ones that have been prepared by
hand by someone so they can be cut/pasted into a router, should start
with a remark line that says something along the lines of **WARNING
DELETE AFTER FEB 2005! ** (Or, current date+ 4 months). I realize a
lot of things can't be remarked, but any attempt to remark it, seems
like it would be a good idea. Some people don't read all the stuff
in the web page before they scroll down, and copy the bogon list.
Some people don't heed the warnings. Some people leave their job
after they put in bogons. Some people are router consultants, and
never see that router again. Some people are too busy putting out
fires and forget that 8 months have passed since they checked their
bogons.
And some people are just stupid. ;-)
A remark could go a long way to solving/preventing the problem when
the next person takes a look at the router's configuration.
The perfect solution to the bogon issue is constant diligence.
Getting a route feed is a good seccond choice. The third choice is
to not use bogon filters at all.
In a perfect world, those in charge of allowing routes in to the
global internet wouldn't allow bogons, because they would only allow
announcements that they've checked out ahead of time. And just like
packet ingress filtering, it's a solution that probably won't happen
any time soon.
-Jerry
|
|
|
