nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Please Check Filters - BOGON Filtering IP Space 72.14.128.0/19

From: Valdis.Kletnieks () vt edu
Date: Thu, 20 Jan 2005 13:44:04 -0500
On Thu, 20 Jan 2005 13:20:45 EST, "Chris A. Epler" said:


Whats so bad about decent secure defaults?  I just see it as a shortcut
to getting a router online, not a solution to security.  If you're
implementing a new router and setting up Bogon filters you should
already know that they'll need to be updated regularly and should
replace the access list with a refreshed one using the autosecure
configuration as a TEMPLATE that you work off of.  If you don't know
this, then you shouldn't be in charge of said router.  Am I missing
something here???


Only thing you're missing is that "shouldn't be in charge of said router"
describes a nice-to-dream-about but nonexistent state of affairs.

I'll go out on a limb and say that 3/4 of the Cisco routers in production use
are managed by unqualified network monkeys employed by the leaf sites. The fact
that they get one interface connected to their local LAN, and the other
interface connected to the fractional T-1 back to the ISP, and that packets
make it from the LAN to www.google.com and back is amazing enough. Expecting
them to do things like proper inbound bogon filtering and outbound 1918 egress
filtering is pushing it...

In other words, the only people who are likely to *use* the autosecure feature
are people who (a) will Get It Wrong (either at initial config, or failure to
update it regularly), (b) aren't reading this list anyhow (or any other
place where they're likely to see the "Update your bogons" mantra), and
(c) indeed shouldn't have "enable".

Attachment: _bin
Description:

Previous By Date Next
Previous By Thread Next

Current thread: