[76192] in North American Network Operators' Group
Re: Bogon filtering (don't ban me)
daemon@ATHENA.MIT.EDU (Jeroen Massar)
Fri Dec 3 03:20:07 2004
From: Jeroen Massar <jeroen@unfix.org>
To: Hank Nussbacher <hank@mail.iucc.ac.il>
Cc: "william(at)elan.net" <william@elan.net>, nanog@nanog.org
In-Reply-To: <Pine.LNX.4.58.0412030911300.29732@efes.iucc.ac.il>
Date: Fri, 03 Dec 2004 09:16:42 +0100
Errors-To: owner-nanog-outgoing@merit.edu
--=-0Oozb63GRUZRUlEI5f64
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable
On Fri, 2004-12-03 at 09:23 +0200, Hank Nussbacher wrote:
> In Ciscoland its called Autosecure (IOS 12.3):
> http://www.cisco.com/warp/public/cc/pd/iosw/prodlit/cas11_ds.htm
>=20
> "Blocks all IANA reserved IP address blocks"
>=20
> The actual doc:
> <http://niatec.info/mediacontent/cisco/media/targets/resources_mod07/7_1_=
2_AutoSecure.pdf>
>=20
> Problem is, I still do not see that Cisco has a way of auto-updating a
> router that has used autosec_complete_bogon or
> autosec_iana_reserved_block.
The most likely have not (could not find it in above docs at least).
The thing with below draft is that it can also be used to spread your
own filters into the network and thus use it for eg blackholing features
and quite a number of other odd occasions.
A full auto-distribution of configs (inc. filters etc) is most likely
more interresting though.
> -Hank
>=20
> > We've proposed what vendors need to better support bogon filtering, eve=
n
> > wrote a draft:
> > http://arneill-py.sacramento.ca.us/draft-py-idr-redisfilter-01.txt
> > but last time I talked to cisco ios person (which was just two weeks ag=
o
> > at IPv6 Summit), it still has not been done. Perhaps couple more people
> > who buy their hardware asking them about it will make a difference ...
I will most likely add this to the BGP part of the upcoming new ecmh.
Greets,
Jeroen
--=-0Oozb63GRUZRUlEI5f64
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)
Comment: Jeroen Massar / http://unfix.org/~jeroen/
iD8DBQBBsCDqKaooUjM+fCMRArw5AKCAAftEhEyL/rOt1K2+2gU0P6DkoACfZOnL
SfnQI8LrxafRjFDAPNjn+t0=
=JNuJ
-----END PGP SIGNATURE-----
--=-0Oozb63GRUZRUlEI5f64--
