North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Re: Bogon filtering (don't ban me)
On Sun, 5 Dec 2004, Joe Abley wrote:I dont understand this attitude. Automating everything that is safely automatable is the only right way to do things. Its always worth it and it is always good. Everyone has always professed to believe in this.
In this case this is the exact cause of the problem the thread started addressing: Manual updates that dont keep up.
Once upon a time this was the argument of sendmail access database V. dnsbls. Once upon a time you were expected to manually update virus definitions. Once upon a time you were expected to etc.. the list goes on.
Every "weekly" task an admin takes on manually adds up. It may be great job insurance but it starts to suck quick for anyone with half a brain.
Now to throw some whacky ideas out instead of opinions.
I think that a BGP mechanism to tag routes as "ignore all more specifics" would solve this problem nicely. (and perhaps a whole lot others -- such as needless deaggregation)
As far as router vendors such as Cisco autosecure, I do not think there is any way to make default access lists lossless. They should step up to the plate and offer md5 by system serial number keyed multihop BGP bogons in the manner of cymru. Its their responsibility. Also good that it makes them eat even more of their own dogfood which is probably ill suited to this kind of thing.
They should ask team cymru to help them do it and give them a nice fat check while they are at it.
Failing that they could offer radius/tacaccs loading of that access list. Anything else is negligence.
And using BGP for /32 blacklist routes probably has very limited scalability. Any one have any relevant numbers?
Everybody who posts lists of static access lists should seriously consider stopping. If not that, offer an email subscription to announce updates.
(think I beat the S:N? --even if my S is nonsense?)