nanog mailing list archives
Re: Bogon filtering (don't ban me)
From: "william(at)elan.net" <william () elan net>
Date: Sun, 5 Dec 2004 11:07:47 -0800 (PST)
On Sun, 5 Dec 2004, Joe Maimon wrote:
PF and bgpd with local filter table is good when you're expecting those filtered ip routes to change often.I dont understand this attitude. Automating everything that is safely automatable is the only right way to do things. Its always worth it and it is always good. Everyone has always professed to believe in this.
I completely agree about automatic updates. I just want to point out that for data that rarely changes and where such changes can easily be accomodated when distributed within 24 hours using BGP (which is designed for rapid updates of routing data) is an overkill.
In this case this is the exact cause of the problem the thread started addressing: Manual updates that dont keep up. Once upon a time this was the argument of sendmail access database V. dnsbls. Once upon a time you were expected to manually update virus definitions. Once upon a time you were expected to etc.. the list goes on.
And look at virus defenitions - they do not get distributed immediatly to end-sites like BGP, instead local systems check with remote server once/day or once/week and automaticly download new definitions.
Every "weekly" task an admin takes on manually adds up. It may be great job insurance but it starts to suck quick for anyone with half a brain.
Look at the webpage I listed, it mentiones several times that updates must be made automaticly (or otherwise you should not bother) and includes scripts that automaticly recreate firewall scripts every week or every day from the downloaded ip list.
As far as router vendors such as Cisco autosecure, I do not think there is any way to make default access lists lossless. They should step up to the plate and offer md5 by system serial number keyed multihop BGP bogons in the manner of cymru. Its their responsibility. Also good that it makes them eat even more of their own dogfood which is probably ill suited to this kind of thing.
Or they could offer service to update relevent ios security config (including access-list) from remote server once/day/week. This would be a lot easier then forcing everyone who needs this do bgp feed and it also takes care of security updates that require more then just updating one specific access-list. -- William Leibzon Elan Networks william () elan net
Current thread:
- RE: Bogon filtering (don't ban me), (continued)
- RE: Bogon filtering (don't ban me) Hank Nussbacher (Dec 04)
- RE: Bogon filtering (don't ban me) Rob Thomas (Dec 04)
- Re: Bogon filtering (don't ban me) Cliff Albert (Dec 05)
- Re: Bogon filtering (don't ban me) Joe Abley (Dec 05)
- Re: Bogon filtering (don't ban me) Cliff Albert (Dec 05)
- Re: Bogon filtering (don't ban me) Ian Dickinson (Dec 05)
- Re: Bogon filtering (don't ban me) william(at)elan.net (Dec 05)
- Re: Bogon filtering (don't ban me) william(at)elan.net (Dec 05)
- Re: Bogon filtering (don't ban me) Joe Abley (Dec 05)
- RE: Bogon filtering (don't ban me) Hank Nussbacher (Dec 04)
- Re: Bogon filtering (don't ban me) Joe Maimon (Dec 05)
- Re: Bogon filtering (don't ban me) william(at)elan.net (Dec 05)
- Re: Bogon filtering (don't ban me) Iljitsch van Beijnum (Dec 05)
- Re: Bogon filtering (don't ban me) Rob Thomas (Dec 05)
- Re: Bogon filtering (don't ban me) Jørgen Hovland (Dec 05)
- Re: Bogon filtering (don't ban me) Mikael Abrahamsson (Dec 05)
- Re: Bogon filtering (don't ban me) Patrick W Gilmore (Dec 05)
- Re: Bogon filtering (don't ban me) Iljitsch van Beijnum (Dec 05)
- Re: Bogon filtering (don't ban me) Cliff Albert (Dec 05)
- Re: Bogon filtering (don't ban me) Iljitsch van Beijnum (Dec 05)
- Re: Bogon filtering (don't ban me) Sean Donelan (Dec 05)
- Re: Bogon filtering (don't ban me) Rob Thomas (Dec 05)