Please Check Filters - BOGON Filtering IP Space

David Barak thegameiam at
Thu Jan 20 18:33:59 UTC 2005

--- "Chris A. Epler" <cepler at> wrote:

> Hash: SHA1
> Jared Mauch wrote:
> | 	I'm not saying this to trash cisco, many people
> there know that,
> | but the important thing is insuring that the
> global internet isn't
> | further harmed, and as more allocations are done
> the harm becomes
> | greater and it hurts every single person in this
> industry, providers
> | and vendors alike.
> k, bit my tongue as much as I could...  But I gotta
> vent ;-P
> So, Cisco provides this 'AutoSecure' function and
> everyone jumps all
> over the static bogon list.  Why?  Hello?  The basic
> idea here is that
> it gets you decent out of the box setup defaults
> which you tailor after
> running it, right?  (NOTE: I haven't actually hit
> the AUTOSECURE button
> yet, just read a little about it)

Well, the problem is that the autosecure feature
introduces a static element (address filtering) into a
dynamic world (routing), in a way which is generally
considered "set and forget."

The target audience for autosecure is people who don't
have their own security people on staff, thus ensuring
that the filters will get out of date, and cause
mysterious reachability issues (mysterious, that is,
because no one will think of looking for the problem
in the router...)

> Whats so bad about decent secure defaults?  I just
> see it as a shortcut
> to getting a router online, not a solution to
> security.  

Getting a router online is giving it an IP address. 
Translate from geek to English: when someone who is
not-so-technical hears "autosecure" the end result is
something like "automatic transmission" - i.e.
something which doesn't need to be played with except
once every few years.

> If you're
> implementing a new router and setting up Bogon
> filters 

The argument is that autosecure SHOULDN'T set up bogon

> you should
> already know that they'll need to be updated
> regularly and should
> replace the access list with a refreshed one using
> the autosecure
> configuration as a TEMPLATE that you work off of. 
> If you don't know
> this, then you shouldn't be in charge of said
> router.  Am I missing
> something here???

The primary audience for the autosecure feature is
people who really don't quite get routers.  No, they
don't have any business with enable, but do they have
it?  yes.

David Barak
Need Geek Rock?  Try The Franchise:

Do you Yahoo!? 
Yahoo! Mail - Find what you need with new enhanced search.

More information about the NANOG mailing list