On Fri, 3 Dec 2004, Hank Nussbacher wrote:
"Blocks all IANA reserved IP address blocks"
The actual doc:
<http://niatec.info/mediacontent/cisco/media/targets/resources_mod07/7_1_2_AutoSecure.pdf>
Surprise, surprise. The examples in that document are already out of date and filtering as bogons perfectly good IP space ARIN is handing out to members.
The idea of a "default static bogon filter" being made part of IOS is a horrible idea. It's bad enough getting the places that went to the trouble of setting up bogon filters to update them. If everyone had them by default, that would likely break the Internet for signifigant numbers of people. How many customer routers do you have on your networks that were installed years ago and never upgraded? How out of date would their default bogon filters be now?
---------------------------------------------------------------------- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
Isn't the path to hell is paved with good intentions? It's not the first time Cisco routes have shipped with out of date software in them, or known bugs/issues that pop up later to cause problems. ;-) Seriously, I'm not knocking Cisco, I'm just telling it like it is. If someone knows what they're doing they won't get burned on it. There are a lot of other IOS commands/options that can be turned on to screw networks up much worse. I don't fault Cisco for giving people the option. It should have a warning though, when enabled that it is out of date and will break things. Just thinking out loud here: If Cisco wanted to do something related to bogon filtering, they should make routes that expire/self delete after a certain date. Routes with a time to live. (NTP optional, but a set clock required to use the TTL routes). Also, bogon lists, especially the ones that have been prepared by hand by someone so they can be cut/pasted into a router, should start with a remark line that says something along the lines of **WARNING DELETE AFTER FEB 2005! ** (Or, current date+ 4 months). I realize a lot of things can't be remarked, but any attempt to remark it, seems like it would be a good idea. Some people don't read all the stuff in the web page before they scroll down, and copy the bogon list. Some people don't heed the warnings. Some people leave their job after they put in bogons. Some people are router consultants, and never see that router again. Some people are too busy putting out fires and forget that 8 months have passed since they checked their bogons. And some people are just stupid. ;-) A remark could go a long way to solving/preventing the problem when the next person takes a look at the router's configuration. The perfect solution to the bogon issue is constant diligence. Getting a route feed is a good seccond choice. The third choice is to not use bogon filters at all. In a perfect world, those in charge of allowing routes in to the global internet wouldn't allow bogons, because they would only allow announcements that they've checked out ahead of time. And just like packet ingress filtering, it's a solution that probably won't happen any time soon. -Jerry