I will check on this and get back with you. Rodney On Thu, Jan 20, 2005 at 11:18:10AM -0500, Joe Maimon wrote:
David Barak wrote:
--- Suresh Ramasubramanian <ops.lists@gmail.com> wrote:
David Barak <thegameiam@yahoo.com> wrote:
While it says that bogon filters change, and
provides
a URL to check it, what percentage of folks who
would
use a feature like "autosecure" would ever update their filters?
What do they do to update that bogon list anyway - push a new IOS image?
That's a mighty fine question: the link I referenced is the most recent I was able to find, and its list of bogons is thoroughly out-of-date. In the interest of long-term reachability, I would call on Cisco to remove the IANA-UNASSIGNED blocks from the autosecure filters.
I think the last time this was hashed out here, there was a consensus that Cisco should not be promoting a feature that uses a static list for blackholing. The problem is with now-good-bogons bad enough as it is, even with a presumably competent admin responsible for the setup.
Perhaps Cisco could couple this with a scheduled scp to a server of choice, preferably Cisco's, for an update checking feature. At that point I would think perhaps it has a bit more + than - to it.
At any rate it should NOT be tied to IOS images, the vast majority of those never get upgraded. Make ACLS be able to parse their rules from a file stored wherever. Just like that new DHCP static bindings from text file feature.
Joe