How many backbones here are filtering the makelovenotspam scr eensaver site?
Andre Oppermann
nanog-list at nrg4u.com
Fri Dec 3 09:57:15 UTC 2004
Hank Nussbacher wrote:
> On Fri, 3 Dec 2004, Elmar K. Bins wrote:
>
>>And while Cisco's autosecure feature looks fine in most parts (saves
>>a lazy overworked bum like me a lot of typing), it does not do much
>>good - in my opinion - when it comes to bogon filtering. I prefer
>>knowing what the filter looks like, and it does not seem to give me
>>that, nor any way of modifying the list (correct me if I'm wrong).
>
> See pages 9, 10 and 12 of the PDF I posted. Specifically, it
> sets up: "ip access-list extended autosec_iana_reserved_block", and "ip
> access-list extended autosec_complete_bogon" which you of course can
> change like any other ACL.
This is broken by design.
Routers would ship with the iana_reserved_block list of when they were
manufactured. If the user is stoopid enough not to be able to get his
filters from Cymru directly then he should not have any filtering at all
because he is never going to update it anyway in the future. Ergo lots
of black holes for newly allocated address spaces to the RIR's.
The cure will be far worse than the disease if routers would come with
pre-configured bogon lists.
And you are missing a big point; What bogons are bogons? In an enterprise
setup the RFC1918 space (10/8, 172.16/12, 192.168/16) is most likely not
a bogon while it most likely is for an ISP. Breaks right here.
On top of that it is solving a non-problem. There is only little junk
coming from the non-iana allocated ranges. And that is easily taken
care of by filtering inbound traffic at the customer edges (ie. allow
customers to send only traffic with source IP's out of the assigned
IP range).
If you do any bogon filtering at all then do it with some automatically
updating system like an BGP bogon feed from Cymru.
--
Andre
More information about the NANOG
mailing list