RE: Please Check Filters - BOGON Filtering IP Space 72.14.128.0/19

[Sean Donelan <sean () donelan com>]

On Wed, 16 Feb 2005, Kunjal Trivedi wrote:
> Due to the feedback we've received on the Autosecure bogon list issue, we've
> decided to do the following:
>
> 1) Provide a fix that removes bogon ACL creation and deployment from the
> Autosecure feature.  This change will be available in mainline and
> maintenance software releases. For the software release details, please
> refer to 2.
>
> 2) A Cisco Field Notice will be published to inform customers of the change
> and will contain instructions on how to remove the bogon ACLs created by
> executing the autosecure command.
>
> We'll update the list with the Field Notice URL as soon as it's available.
> Tentative date for FN posting is 18th February 2005.

The pendulum swings too far in the other direction.

Martian addresses are relatively static, and might be good candidates for
one-click security.  If you see a 127.0.0.0/8 packet floating around, its
probably up to no good.

The objection is naive people assuming all the addresses on the list are
the same, in particular what Team Cymru calls "Bogons."  Bogon filters
should only be configured by people who understand what they are doing.
Bogon lists, as opposed to Martian lists, are probably not a good thing
for cookbook security or one-click auto-configure.