Please Check Filters - BOGON Filtering IP Space 72.14.128.0/19
Joe Maimon
jmaimon at ttec.com
Thu Jan 20 16:18:10 UTC 2005
David Barak wrote:
>--- Suresh Ramasubramanian <ops.lists at gmail.com>
>wrote:
>
>
>
>>David Barak <thegameiam at yahoo.com> wrote:
>>
>>
>>>While it says that bogon filters change, and
>>>
>>>
>>provides
>>
>>
>>>a URL to check it, what percentage of folks who
>>>
>>>
>>would
>>
>>
>>>use a feature like "autosecure" would ever update
>>>their filters?
>>>
>>>
>>>
>>What do they do to update that bogon list anyway -
>>push a new IOS image?
>>
>>
>>
>
>That's a mighty fine question: the link I referenced
>is the most recent I was able to find, and its list of
>bogons is thoroughly out-of-date. In the interest of
>long-term reachability, I would call on Cisco to
>remove the IANA-UNASSIGNED blocks from the autosecure
>filters.
>
>
>
>
I think the last time this was hashed out here, there was a consensus
that Cisco should not be promoting a feature that uses a static list for
blackholing. The problem is with now-good-bogons bad enough as it is,
even with a presumably competent admin responsible for the setup.
Perhaps Cisco could couple this with a scheduled scp to a server of
choice, preferably Cisco's, for an update checking feature. At that
point I would think perhaps it has a bit more + than - to it.
At any rate it should NOT be tied to IOS images, the vast majority of
those never get upgraded. Make ACLS be able to parse their rules from a
file stored wherever. Just like that new DHCP static bindings from text
file feature.
Joe
More information about the NANOG
mailing list