[61852] in North American Network Operators' Group
RE: What were we saying about edge filtering?
daemon@ATHENA.MIT.EDU (Terry Baranski)
Sat Sep 6 17:55:02 2003
From: "Terry Baranski" <tbaranski@mail.com>
To: "'Adam Debus'" <nanog@delsol.net>, <nanog@merit.edu>
Date: Sat, 6 Sep 2003 17:54:13 -0400
In-Reply-To: <012301c3730a$ceeef5a0$e2e8b1d8@adam>
Errors-To: owner-nanog-outgoing@merit.edu
> > Sean Donelan wrote:
> >
> > It gets even worse. Cisco has hard-coded the list of
> > Bogons into some of its latest low-end IOS versions as
> > part of its "auto-secure" feature. Yes, Cisco includes
> > warnings in the manual the user should check the official
> > list at IANA; but I also know the power of defaults.
> > People upgrade their IOS versions even less often then
> > they update their Windows boxes. So we're going to see
> > chunks of the net blocked depending on the release date
> > of versions of IOS.
>
> Adam Debus wrote:
>
> Do you have a reference page as to what
> platforms/releases/release trains that is being applied to?
>
> Seems like it might be a handy list to have bookmarked. :)
Per
http://www.cisco.com/en/US/products/sw/iosswrel/ps5187/products_feature_
guide09186a008017d101.html, it was introduced in 12.3 mainline. It's
anyone's guess where it will end up from there but note that it's
already in a service provider train (12.2(18)S). So we may (or probably
will?) end up with ISP's using the bogon-list feature as well.
If one upgrades from version A of Autosecure-enabled IOS to version B of
Autosecure-enabled IOS, will the bogon-list ACLs in the device's
configuration be automatically updated? Or will the user have to
disable and then re-enable Autosecure?
Is this progress? Or is this something that "seemed like a good idea at
the time"?
-Terry
