Please Check Filters - BOGON Filtering IP Space

joshua sahala jejs at
Thu Jan 20 18:39:47 UTC 2005

On (20/01/05 13:20), Chris A. Epler wrote:
> Whats so bad about decent secure defaults?  

 secure defaults are good...but there are other aspects of cisco ios which
 would be better suited to be disabled out of the box:  redirects, proxy 
 arp, tcp/udp small-servers, the lack of decent ssh (this is getting
 better), lack of receive acls on all but the big boxen, etc...these are a
 few things which would be better to have out of the box.

> If you're implementing a new router and setting up Bogon filters you 
> should already know that they'll need to be updated regularly

 read the beginning of this thread - people implement bogon filters
 without keeping them up to date already.  this is just another mechanism
 to do the same thing (but on a larger scale).

> If you don't know this, then you shouldn't be in charge of said router.
> Am I missing something here???

 in an ideal world, yes, this would be true; however we all know the
 reality of this.  there are already secure config templates available
 which people follow without actually knowing the implications of.  one
 more 'feature' in ios will go unnoticed by most, and thus will be left
 out of date...that was, i believe, jared's point.


            ****    THIS .sig CENSORSED    ****

More information about the NANOG mailing list