At 05:27 PM 16-02-05 -0500, Sean Donelan wrote:
On Wed, 16 Feb 2005, Kunjal Trivedi wrote:
Due to the feedback we've received on the Autosecure bogon list issue,
we've
decided to do the following:
1) Provide a fix that removes bogon ACL creation and deployment from the
Autosecure feature.
On Thu, 17 Feb 2005, Hank Nussbacher wrote:
Martian addresses are relatively static, and might be good candidates for
one-click security. If you see a 127.0.0.0/8 packet floating around, its
probably up to no good.
As are RFC1918 addresses.
Cisco routers are frequently used in enterprise
: Please Check Filters - BOGON Filtering IP Space
72.14.128.0/19
--- Richard J. Sears [EMAIL PROTECTED] wrote:
Yes - the space in question was allocated last January - it
looks like
not everyone has updated their bogon access lists to remove
this space
from the bogon list
On Wed, 16 Feb 2005, Kunjal Trivedi wrote:
Due to the feedback we've received on the Autosecure bogon list issue, we've
decided to do the following:
1) Provide a fix that removes bogon ACL creation and deployment from the
Autosecure feature. This change will be available in mainline and
Hi, Hank.
] How would this scale for say 200K routers? 2M? -Hank
Dave Deitrich of Team Cymru will be presenting on this very
topic at the next NANOG. Short answer: We're ready when
you are. :)
Thanks,
Rob.
--
Rob Thomas
http://www.cymru.com
Shaving with Occam's razor since 1999.
As someone who used to do a great deal of managed network
services, I can certainly attest to that.
- ferg
-- Christopher L. Morrow [EMAIL PROTECTED] wrote:
On Thu, 20 Jan 2005, James Laszko wrote:
Well, if the router CAN run BGP, the feed from Cymru is only about 84
prefixes - not a lot
Well, if the router CAN run BGP, the feed from Cymru is only about 84
prefixes - not a lot of memory tied up there, is there?
Not a very wise solution. If hundreds of thousands of routers
take this feed from Cymru, then it won't be long
before someone attacks Cymru in order to control
the
On Fri, Jan 21, 2005 at 09:01:13AM +0200, Hank Nussbacher wrote:
On Thu, 20 Jan 2005, James Laszko wrote:
Well, if the router CAN run BGP, the feed from Cymru is only about 84
prefixes - not a lot of memory tied up there, is there?
I am *not* talking about the leaf - rather the core.
On Thu, 20 Jan 2005 20:16:14 +0530, Suresh Ramasubramanian
[EMAIL PROTECTED] wrote:
Analogies suck, but look at (for example) Norton AntiVirus. You pay
for a year of virus definition updates. Then when the year runs out,
Symantec is not going to give you a single new virus definition even
David Barak [EMAIL PROTECTED] wrote:
While it says that bogon filters change, and provides
a URL to check it, what percentage of folks who would
use a feature like autosecure would ever update
their filters?
What do they do to update that bogon list anyway - push a new IOS image?
On Thu, Jan 20, 2005 at 06:26:15PM +0530, Suresh Ramasubramanian wrote:
David Barak [EMAIL PROTECTED] wrote:
While it says that bogon filters change, and provides
a URL to check it, what percentage of folks who would
use a feature like autosecure would ever update
their filters?
On Thu, 20 Jan 2005 09:29:34 -0500, Jared Mauch [EMAIL PROTECTED] wrote:
Actually, my assumption is anyone with autosecure gets
free software upgrades for life, as this is a flexible list that
... or as long as your support contract with cisco lasts, whichever
comes earlier.
--
On Thu, Jan 20, 2005 at 08:03:42PM +0530, Suresh Ramasubramanian wrote:
On Thu, 20 Jan 2005 09:29:34 -0500, Jared Mauch [EMAIL PROTECTED] wrote:
Actually, my assumption is anyone with autosecure gets
free software upgrades for life, as this is a flexible list that
... or as long
On Thu, 20 Jan 2005 09:42:54 -0500, Jared Mauch [EMAIL PROTECTED] wrote:
No, cisco providing a time sensitive feature like this
implies free upgrades to repair this critical defect. Just like
they give out free software to people without contracts when
they have a major security
On Thu, Jan 20, 2005 at 08:16:14PM +0530, Suresh Ramasubramanian wrote:
On Thu, 20 Jan 2005 09:42:54 -0500, Jared Mauch [EMAIL PROTECTED] wrote:
No, cisco providing a time sensitive feature like this
implies free upgrades to repair this critical defect. Just like
they give out
...and it's not like ARIN, etc., does not announce to the
Internet community when it allocates from address space
which may have previously been listed in various operational
places as bogon or unalloacted -- they do.
I recall seeing similar announcements on the list from time
to time,
--- Suresh Ramasubramanian [EMAIL PROTECTED]
wrote:
David Barak [EMAIL PROTECTED] wrote:
While it says that bogon filters change, and
provides
a URL to check it, what percentage of folks who
would
use a feature like autosecure would ever update
their filters?
What do they do
Is there an RFC or other standards document that clearly states that static
bogon filter lists are a bad idea? While this seems like common sense, there
was just an RFC published on why IP addresses for specific purposes (like
NTP) shouldn't be encoded into hardware.
Using a dynamic feed needs
David Barak wrote:
--- Suresh Ramasubramanian [EMAIL PROTECTED]
wrote:
David Barak [EMAIL PROTECTED] wrote:
While it says that bogon filters change, and
provides
a URL to check it, what percentage of folks who
would
use a feature like autosecure would ever update
I will check on this and get back with
you.
Rodney
On Thu, Jan 20, 2005 at 11:18:10AM -0500, Joe Maimon wrote:
David Barak wrote:
--- Suresh Ramasubramanian [EMAIL PROTECTED]
wrote:
David Barak [EMAIL PROTECTED] wrote:
While it says that bogon filters change, and
11:02am Daniel Golding said:
Is there an RFC or other standards document that clearly states that static
bogon filter lists are a bad idea? While this seems like common sense, there
Since this keeps coming up. I'll toss my quick and dirty reminder cronjob
into the discussion. I cannot
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
in-line:
Jared Mauch wrote:
| On Thu, Jan 20, 2005 at 06:26:15PM +0530, Suresh Ramasubramanian wrote:
|
|David Barak [EMAIL PROTECTED] wrote:
|
|While it says that bogon filters change, and provides
|a URL to check it, what percentage of folks who
--- Chris A. Epler [EMAIL PROTECTED] wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Jared Mauch wrote:
| I'm not saying this to trash cisco, many people
there know that,
| but the important thing is insuring that the
global internet isn't
| further harmed, and as more
Whats so bad about decent secure defaults?
I don't consider a configuration that disenfranchises part of the
internet as decent [...] defaults. :)
Cheers,
Rob
On (20/01/05 13:20), Chris A. Epler wrote:
Whats so bad about decent secure defaults?
secure defaults are good...but there are other aspects of cisco ios which
would be better suited to be disabled out of the box: redirects, proxy
arp, tcp/udp small-servers, the lack of decent ssh
On Thu, 20 Jan 2005 13:20:45 EST, Chris A. Epler said:
Whats so bad about decent secure defaults? I just see it as a shortcut
to getting a router online, not a solution to security. If you're
implementing a new router and setting up Bogon filters you should
already know that they'll need to
Hi, NANOGers.
Will makes an excellent point here:
] I beg to differ - 3/4 of the Cisco routers in (enterprise) production are
] *unmaintained*. These will have a variety of vulnerable, buggy or just plain
] crap IOS versions and no-one would've even considered upgrading for years.
While I
On Fri, Jan 21, 2005 at 12:55:45AM +, Will Hargrave wrote:
If filters depend on IOS upgrades then those filters are there to stay.
Perhaps the feature/filters ought to have an expiration date/TTL.
Chris A. Epler [EMAIL PROTECTED] wrote:
Whats so bad about decent secure defaults? I just see it as a shortcut
Nothing at all as long as they remain decent.
New /8s getting allocated every few months make it positively indecent.
srs
Whats so bad about decent secure defaults?
I don't consider a configuration that disenfranchises part of the
internet as decent [...] defaults. :)
The big problem that we're experiencing here is that the big telco
ISP's, network providers and managed service providers that should have
On Thu, 20 Jan 2005 21:14:12 -0800, James Laszko [EMAIL PROTECTED] wrote:
...
Why more people don't use resources like what Cymru offer is beyond
me...
Not-Invented-Here syndrome?
--
GDB has a 'break' feature; why doesn't it have 'fix' too?
On Thu, 20 Jan 2005, James Laszko wrote:
Whats so bad about decent secure defaults?
I don't consider a configuration that disenfranchises part of the
internet as decent [...] defaults. :)
The big problem that we're experiencing here is that the big telco
ISP's, network providers and
Wash, rinse, repeat for the other 70,000 routers you manage for
customers... This is definitely NOT a half-rack in a colo fix. Just
contacting the customers is a feat.
In the same hand, do you know how hard it was to get in touch with
someone at SBC/SBC-IS/PBI/PacBell that knew what the heck
Wash, rinse, repeat for the other 70,000 routers you manage for
customers... This is definitely NOT a half-rack in a colo fix. Just
contacting the customers is a feat.
And I completely agree that it's a big pain to coordinate this. In the
same hand, SBC and all other 'big' providers use
On Fri, 21 Jan 2005 00:55:45 GMT, Will Hargrave said:
I beg to differ - 3/4 of the Cisco routers in (enterprise) production are
*unmaintained*. These will have a variety of vulnerable, buggy or just plain
crap IOS versions and no-one would've even considered upgrading for years.
Oh.. I was
On Thu, 20 Jan 2005, James Laszko wrote:
Wash, rinse, repeat for the other 70,000 routers you manage for
customers... This is definitely NOT a half-rack in a colo fix. Just
contacting the customers is a feat.
And I completely agree that it's a big pain to coordinate this. In the
On Thu, 20 Jan 2005, James Laszko wrote:
Wash, rinse, repeat for the other 70,000 routers you manage for
customers... This is definitely NOT a half-rack in a colo fix. Just
contacting the customers is a feat.
In the same hand, do you know how hard it was to get in touch with
someone at
On Thu, 20 Jan 2005, James Laszko wrote:
sort of mechanism. If they're not going to use something like the Cymru
BOGON BGP feed they should build their own and should have configured
their managed routers to query that from the beginning. As more
How would this scale for say 200K routers?
. Morrow [mailto:[EMAIL PROTECTED]
Sent: Thursday, January 20, 2005 9:55 PM
To: James Laszko
Cc: Rob Evans; Chris A. Epler; nanog@merit.edu
Subject: RE: Please Check Filters - BOGON Filtering IP Space
72.14.128.0/19
On Thu, 20 Jan 2005, James Laszko wrote:
Wash, rinse, repeat for the other 70,000
:[EMAIL PROTECTED]
Sent: Thursday, January 20, 2005 10:51 PM
To: James Laszko
Cc: nanog@merit.edu
Subject: RE: Please Check Filters - BOGON Filtering IP Space
72.14.128.0/19
On Thu, 20 Jan 2005, James Laszko wrote:
sort of mechanism. If they're not going to use something like the
Cymru
BOGON BGP
: Thursday, January 20, 2005 10:51 PM
To: James Laszko
Cc: nanog@merit.edu
Subject: RE: Please Check Filters - BOGON Filtering IP Space
72.14.128.0/19
On Thu, 20 Jan 2005, James Laszko wrote:
sort of mechanism. If they're not going to use something like the
Cymru
BOGON BGP feed they should
___
From: [EMAIL PROTECTED]
Sent: Wednesday, January 19, 2005 9:58 AM
To: 'nanog@merit.edu'
Subject: BOGON Filtering IP Space?
Our NOC is opening a lot of tickets for customers that live on our
72.14.128.0/19 network going towards local and federal government
Yes - the space in question was allocated last January - it looks like
not everyone has updated their bogon access lists to remove this space
from the bogon list.
On Wed, 19 Jan 2005 13:51:11 -0500
Kurt Kruegel [EMAIL PROTECTED] wrote:
from http://www.cymru.com/Documents/bogon-list.html
--- Richard J. Sears [EMAIL PROTECTED] wrote:
Yes - the space in question was allocated last
January - it looks like
not everyone has updated their bogon access lists to
remove this space
from the bogon list.
I think that Cisco's Autosecure feature is part of the
problem here:
44 matches
Mail list logo
