Please Check Filters - BOGON Filtering IP Space 72.14.128.0/19
Valdis.Kletnieks at vt.edu
Valdis.Kletnieks at vt.edu
Thu Jan 20 18:44:04 UTC 2005
On Thu, 20 Jan 2005 13:20:45 EST, "Chris A. Epler" said:
> Whats so bad about decent secure defaults? I just see it as a shortcut
> to getting a router online, not a solution to security. If you're
> implementing a new router and setting up Bogon filters you should
> already know that they'll need to be updated regularly and should
> replace the access list with a refreshed one using the autosecure
> configuration as a TEMPLATE that you work off of. If you don't know
> this, then you shouldn't be in charge of said router. Am I missing
> something here???
Only thing you're missing is that "shouldn't be in charge of said router"
describes a nice-to-dream-about but nonexistent state of affairs.
I'll go out on a limb and say that 3/4 of the Cisco routers in production use
are managed by unqualified network monkeys employed by the leaf sites. The fact
that they get one interface connected to their local LAN, and the other
interface connected to the fractional T-1 back to the ISP, and that packets
make it from the LAN to www.google.com and back is amazing enough. Expecting
them to do things like proper inbound bogon filtering and outbound 1918 egress
filtering is pushing it...
In other words, the only people who are likely to *use* the autosecure feature
are people who (a) will Get It Wrong (either at initial config, or failure to
update it regularly), (b) aren't reading this list anyhow (or any other
place where they're likely to see the "Update your bogons" mantra), and
(c) indeed shouldn't have "enable".
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20050120/25ad4443/attachment.sig>
More information about the NANOG
mailing list