North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Bogon filtering (don't ban me)

  • From: william(at)
  • Date: Sun Dec 05 13:45:00 2004

On Sun, 5 Dec 2004, Joe Maimon wrote:

> >PF and bgpd with local filter table is good when you're expecting those
> >filtered ip routes to change often. 
> >  
> I dont understand this attitude. Automating everything that is safely 
> automatable is the only right way to do things. Its always worth it and 
> it is always good. Everyone has always professed to believe in this.

I completely agree about automatic updates. I just want to point out that
for data that rarely changes and where such changes can easily be 
accomodated when distributed within 24 hours using BGP (which is
designed for rapid updates of routing data) is an overkill.

> In this case this is the exact cause of the problem the thread started 
> addressing: Manual updates that dont keep up.
> Once upon  a time this was the argument of sendmail access database V. 
> dnsbls. Once upon a time you were expected to manually update virus 
> definitions. Once upon a time you were expected to etc.. the list goes on.

And look at virus defenitions - they do not get distributed immediatly 
to end-sites like BGP, instead local systems check with remote server
once/day or once/week and automaticly download new definitions.

> Every "weekly" task an admin takes on manually adds up. It may be great 
> job insurance but it starts to suck quick for anyone with half a brain.

Look at the webpage I listed, it mentiones several times that updates
must be made automaticly (or otherwise you should not bother) and includes 
scripts that automaticly recreate firewall scripts every week or every
day from the downloaded ip list.

> As far as router vendors such as Cisco autosecure, I do not think there 
> is any way to make default access lists lossless. They should step up to 
> the plate and offer md5 by system serial number keyed multihop BGP 
> bogons in the manner of cymru. Its their responsibility. Also good that 
> it makes them eat even more of their own dogfood which is probably ill 
> suited to this kind of thing.

Or they could offer service to update relevent ios security config 
(including access-list) from remote server once/day/week. This would
be a lot easier then forcing everyone who needs this do bgp feed
and it also takes care of security updates that require more then
just updating one specific access-list.

William Leibzon
Elan Networks
[email protected]