Please Check Filters - BOGON Filtering IP Space 72.14.128.0/19

Joe Maimon jmaimon at ttec.com
Thu Jan 20 16:18:10 UTC 2005



David Barak wrote:

>--- Suresh Ramasubramanian <ops.lists at gmail.com>
>wrote:
>
>  
>
>>David Barak <thegameiam at yahoo.com> wrote:
>>    
>>
>>>While it says that bogon filters change, and
>>>      
>>>
>>provides
>>    
>>
>>>a URL to check it, what percentage of folks who
>>>      
>>>
>>would
>>    
>>
>>>use a feature like "autosecure" would ever update
>>>their filters?  
>>>
>>>      
>>>
>>What do they do to update that bogon list anyway -
>>push a new IOS image?
>>
>>    
>>
>
>That's a mighty fine question: the link I referenced
>is the most recent I was able to find, and its list of
>bogons is thoroughly out-of-date.  In the interest of
>long-term reachability, I would call on Cisco to
>remove the IANA-UNASSIGNED blocks from the autosecure
>filters.
>
>
>  
>
I think the last time this was hashed out here, there was a consensus 
that Cisco should not be promoting a feature that uses a static list for 
blackholing. The problem is with now-good-bogons bad enough as it is, 
even with a presumably competent admin responsible for the setup.

Perhaps Cisco could couple this with a scheduled scp to a server of 
choice, preferably Cisco's,  for an update checking feature. At that 
point I would think perhaps it has a bit more + than - to it.

At any rate it should NOT be tied to IOS images, the vast majority of 
those never get upgraded. Make ACLS be able to parse their rules from a 
file stored wherever. Just like that new DHCP static bindings from text 
file feature.

Joe



More information about the NANOG mailing list