North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

RE: Please Check Filters - BOGON Filtering IP Space

  • From: Sean Donelan
  • Date: Wed Feb 16 17:28:26 2005

On Wed, 16 Feb 2005, Kunjal Trivedi wrote:
> Due to the feedback we've received on the Autosecure bogon list issue, we've
> decided to do the following:
> 1) Provide a fix that removes bogon ACL creation and deployment from the
> Autosecure feature.  This change will be available in mainline and
> maintenance software releases. For the software release details, please
> refer to 2.
> 2) A Cisco Field Notice will be published to inform customers of the change
> and will contain instructions on how to remove the bogon ACLs created by
> executing the autosecure command.
> We'll update the list with the Field Notice URL as soon as it's available.
> Tentative date for FN posting is 18th February 2005.

The pendulum swings too far in the other direction.

Martian addresses are relatively static, and might be good candidates for
one-click security.  If you see a packet floating around, its
probably up to no good.

The objection is naive people assuming all the addresses on the list are
the same, in particular what Team Cymru calls "Bogons."  Bogon filters
should only be configured by people who understand what they are doing.
Bogon lists, as opposed to Martian lists, are probably not a good thing
for cookbook security or one-click auto-configure.