nanog mailing list archives
Re: Please Check Filters - BOGON Filtering IP Space 72.14.128.0/19
From: David Barak <thegameiam () yahoo com>
Date: Thu, 20 Jan 2005 10:33:59 -0800 (PST)
--- "Chris A. Epler" <cepler () HostMySite com> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jared Mauch wrote: | I'm not saying this to trash cisco, many people there know that, | but the important thing is insuring that the global internet isn't | further harmed, and as more allocations are done the harm becomes | greater and it hurts every single person in this industry, providers | and vendors alike. k, bit my tongue as much as I could... But I gotta vent ;-P So, Cisco provides this 'AutoSecure' function and everyone jumps all over the static bogon list. Why? Hello? The basic idea here is that it gets you decent out of the box setup defaults which you tailor after running it, right? (NOTE: I haven't actually hit the AUTOSECURE button yet, just read a little about it)
Well, the problem is that the autosecure feature introduces a static element (address filtering) into a dynamic world (routing), in a way which is generally considered "set and forget." The target audience for autosecure is people who don't have their own security people on staff, thus ensuring that the filters will get out of date, and cause mysterious reachability issues (mysterious, that is, because no one will think of looking for the problem in the router...)
Whats so bad about decent secure defaults? I just see it as a shortcut to getting a router online, not a solution to security.
Getting a router online is giving it an IP address. Translate from geek to English: when someone who is not-so-technical hears "autosecure" the end result is something like "automatic transmission" - i.e. something which doesn't need to be played with except once every few years.
If you're implementing a new router and setting up Bogon filters
The argument is that autosecure SHOULDN'T set up bogon filters.
you should already know that they'll need to be updated regularly and should replace the access list with a refreshed one using the autosecure configuration as a TEMPLATE that you work off of. If you don't know this, then you shouldn't be in charge of said router. Am I missing something here???
The primary audience for the autosecure feature is people who really don't quite get routers. No, they don't have any business with enable, but do they have it? yes. ===== David Barak Need Geek Rock? Try The Franchise: http://www.listentothefranchise.com __________________________________ Do you Yahoo!? Yahoo! Mail - Find what you need with new enhanced search. http://info.mail.yahoo.com/mail_250
Current thread:
- Please Check Filters - BOGON Filtering IP Space 72.14.128.0/19 Richard J. Sears (Jan 19)
- Message not available
- Re: Please Check Filters - BOGON Filtering IP Space 72.14.128.0/19 Richard J. Sears (Jan 19)
- Re: Please Check Filters - BOGON Filtering IP Space 72.14.128.0/19 David Barak (Jan 19)
- Re: Please Check Filters - BOGON Filtering IP Space 72.14.128.0/19 Suresh Ramasubramanian (Jan 20)
- Re: Please Check Filters - BOGON Filtering IP Space 72.14.128.0/19 Jared Mauch (Jan 20)
- Re: Please Check Filters - BOGON Filtering IP Space 72.14.128.0/19 Suresh Ramasubramanian (Jan 20)
- Re: Please Check Filters - BOGON Filtering IP Space 72.14.128.0/19 Jared Mauch (Jan 20)
- Re: Please Check Filters - BOGON Filtering IP Space 72.14.128.0/19 Suresh Ramasubramanian (Jan 20)
- Re: Please Check Filters - BOGON Filtering IP Space 72.14.128.0/19 Jared Mauch (Jan 20)
- Re: Please Check Filters - BOGON Filtering IP Space 72.14.128.0/19 Chris A. Epler (Jan 20)
- Re: Please Check Filters - BOGON Filtering IP Space 72.14.128.0/19 David Barak (Jan 20)
- Re: Please Check Filters - BOGON Filtering IP Space 72.14.128.0/19 Rob Evans (Jan 20)
- Re: Please Check Filters - BOGON Filtering IP Space 72.14.128.0/19 joshua sahala (Jan 20)
- Re: Please Check Filters - BOGON Filtering IP Space 72.14.128.0/19 Valdis . Kletnieks (Jan 20)
- Re: Please Check Filters - BOGON Filtering IP Space 72.14.128.0/19 Will Hargrave (Jan 20)
- Re: Please Check Filters - BOGON Filtering IP Space 72.14.128.0/19 Rob Thomas (Jan 20)
- Re: Please Check Filters - BOGON Filtering IP Space 72.14.128.0/19 Charles R. Anderson (Jan 20)
- Re: Please Check Filters - BOGON Filtering IP Space 72.14.128.0/19 Valdis . Kletnieks (Jan 20)
- Re: Please Check Filters - BOGON Filtering IP Space 72.14.128.0/19 Richard J. Sears (Jan 19)
- Re: Please Check Filters - BOGON Filtering IP Space 72.14.128.0/19 Suresh Ramasubramanian (Jan 20)
- Message not available
- Re: Please Check Filters - BOGON Filtering IP Space 72.14.128.0/19 Bill Stewart (Jan 21)
- Re: Please Check Filters - BOGON Filtering IP Space 72.14.128.0/19 Vicky Rode (Jan 20)