[77442] in North American Network Operators' Group
Re: Please Check Filters - BOGON Filtering IP Space 72.14.128.0/19
daemon@ATHENA.MIT.EDU (Joe Maimon)
Thu Jan 20 11:20:06 2005
Date: Thu, 20 Jan 2005 11:18:10 -0500
From: Joe Maimon <jmaimon@ttec.com>
To: David Barak <thegameiam@yahoo.com>
Cc: Suresh Ramasubramanian <ops.lists@gmail.com>, rsears@adnc.com,
kurt@amnh.org, nanog@merit.edu
In-Reply-To: <20050120152936.30633.qmail@web14921.mail.yahoo.com>
Errors-To: owner-nanog-outgoing@merit.edu
David Barak wrote:
>--- Suresh Ramasubramanian <ops.lists@gmail.com>
>wrote:
>
>
>
>>David Barak <thegameiam@yahoo.com> wrote:
>>
>>
>>>While it says that bogon filters change, and
>>>
>>>
>>provides
>>
>>
>>>a URL to check it, what percentage of folks who
>>>
>>>
>>would
>>
>>
>>>use a feature like "autosecure" would ever update
>>>their filters?
>>>
>>>
>>>
>>What do they do to update that bogon list anyway -
>>push a new IOS image?
>>
>>
>>
>
>That's a mighty fine question: the link I referenced
>is the most recent I was able to find, and its list of
>bogons is thoroughly out-of-date. In the interest of
>long-term reachability, I would call on Cisco to
>remove the IANA-UNASSIGNED blocks from the autosecure
>filters.
>
>
>
>
I think the last time this was hashed out here, there was a consensus
that Cisco should not be promoting a feature that uses a static list for
blackholing. The problem is with now-good-bogons bad enough as it is,
even with a presumably competent admin responsible for the setup.
Perhaps Cisco could couple this with a scheduled scp to a server of
choice, preferably Cisco's, for an update checking feature. At that
point I would think perhaps it has a bit more + than - to it.
At any rate it should NOT be tied to IOS images, the vast majority of
those never get upgraded. Make ACLS be able to parse their rules from a
file stored wherever. Just like that new DHCP static bindings from text
file feature.
Joe
