Bogon filtering (don't ban me either)
Jerry Pasker
info at n-connect.net
Fri Dec 3 18:41:32 UTC 2004
>On Fri, 3 Dec 2004, Hank Nussbacher wrote:
>
>> "Blocks all IANA reserved IP address blocks"
>>
>> The actual doc:
>>
>><http://niatec.info/mediacontent/cisco/media/targets/resources_mod07/7_1_2_AutoSecure.pdf>
>
>Surprise, surprise. The examples in that document are already out of date
>and filtering as bogons perfectly good IP space ARIN is handing out to
>members.
>
>The idea of a "default static bogon filter" being made part of IOS is a
>horrible idea. It's bad enough getting the places that went to the
>trouble of setting up bogon filters to update them. If everyone had them
>by default, that would likely break the Internet for signifigant numbers
>of people. How many customer routers do you have on your networks that
>were installed years ago and never upgraded? How out of date would their
>default bogon filters be now?
>
>----------------------------------------------------------------------
> Jon Lewis | I route
> Senior Network Engineer | therefore you are
> Atlantic Net |
>_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
Isn't the path to hell is paved with good intentions?
It's not the first time Cisco routes have shipped with out of date
software in them, or known bugs/issues that pop up later to cause
problems. ;-) Seriously, I'm not knocking Cisco, I'm just telling
it like it is. If someone knows what they're doing they won't get
burned on it. There are a lot of other IOS commands/options that can
be turned on to screw networks up much worse. I don't fault Cisco
for giving people the option. It should have a warning though, when
enabled that it is out of date and will break things.
Just thinking out loud here:
If Cisco wanted to do something related to bogon filtering, they
should make routes that expire/self delete after a certain date.
Routes with a time to live. (NTP optional, but a set clock required
to use the TTL routes).
Also, bogon lists, especially the ones that have been prepared by
hand by someone so they can be cut/pasted into a router, should start
with a remark line that says something along the lines of **WARNING
DELETE AFTER FEB 2005! ** (Or, current date+ 4 months). I realize a
lot of things can't be remarked, but any attempt to remark it, seems
like it would be a good idea. Some people don't read all the stuff
in the web page before they scroll down, and copy the bogon list.
Some people don't heed the warnings. Some people leave their job
after they put in bogons. Some people are router consultants, and
never see that router again. Some people are too busy putting out
fires and forget that 8 months have passed since they checked their
bogons.
And some people are just stupid. ;-)
A remark could go a long way to solving/preventing the problem when
the next person takes a look at the router's configuration.
The perfect solution to the bogon issue is constant diligence.
Getting a route feed is a good seccond choice. The third choice is
to not use bogon filters at all.
In a perfect world, those in charge of allowing routes in to the
global internet wouldn't allow bogons, because they would only allow
announcements that they've checked out ahead of time. And just like
packet ingress filtering, it's a solution that probably won't happen
any time soon.
-Jerry
More information about the NANOG
mailing list