Hank Nussbacher wrote:
On Fri, 3 Dec 2004, Elmar K. Bins wrote:
And while Cisco's autosecure feature looks fine in most parts (saves a lazy overworked bum like me a lot of typing), it does not do much good - in my opinion - when it comes to bogon filtering. I prefer knowing what the filter looks like, and it does not seem to give me that, nor any way of modifying the list (correct me if I'm wrong).
See pages 9, 10 and 12 of the PDF I posted. Specifically, it sets up: "ip access-list extended autosec_iana_reserved_block", and "ip access-list extended autosec_complete_bogon" which you of course can change like any other ACL.
This is broken by design. Routers would ship with the iana_reserved_block list of when they were manufactured. If the user is stoopid enough not to be able to get his filters from Cymru directly then he should not have any filtering at all because he is never going to update it anyway in the future. Ergo lots of black holes for newly allocated address spaces to the RIR's. The cure will be far worse than the disease if routers would come with pre-configured bogon lists. And you are missing a big point; What bogons are bogons? In an enterprise setup the RFC1918 space (10/8, 172.16/12, 192.168/16) is most likely not a bogon while it most likely is for an ISP. Breaks right here. On top of that it is solving a non-problem. There is only little junk coming from the non-iana allocated ranges. And that is easily taken care of by filtering inbound traffic at the customer edges (ie. allow customers to send only traffic with source IP's out of the assigned IP range). If you do any bogon filtering at all then do it with some automatically updating system like an BGP bogon feed from Cymru. -- Andre