Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Please Check Filters - BOGON Filtering IP Space

  • From: Valdis.Kletnieks
  • Date: Thu Jan 20 13:45:27 2005

On Thu, 20 Jan 2005 13:20:45 EST, "Chris A. Epler" said:

> Whats so bad about decent secure defaults?  I just see it as a shortcut
> to getting a router online, not a solution to security.  If you're
> implementing a new router and setting up Bogon filters you should
> already know that they'll need to be updated regularly and should
> replace the access list with a refreshed one using the autosecure
> configuration as a TEMPLATE that you work off of.  If you don't know
> this, then you shouldn't be in charge of said router.  Am I missing
> something here???

Only thing you're missing is that "shouldn't be in charge of said router"
describes a nice-to-dream-about but nonexistent state of affairs.

I'll go out on a limb and say that 3/4 of the Cisco routers in production use
are managed by unqualified network monkeys employed by the leaf sites. The fact
that they get one interface connected to their local LAN, and the other
interface connected to the fractional T-1 back to the ISP, and that packets
make it from the LAN to and back is amazing enough. Expecting
them to do things like proper inbound bogon filtering and outbound 1918 egress
filtering is pushing it...

In other words, the only people who are likely to *use* the autosecure feature
are people who (a) will Get It Wrong (either at initial config, or failure to
update it regularly), (b) aren't reading this list anyhow (or any other
place where they're likely to see the "Update your bogons" mantra), and
(c) indeed shouldn't have "enable".

Attachment: pgp00019.pgp
Description: PGP signature

Discussion Communities

About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home

Merit Network, Inc.