Yes - the space in question was allocated last January - it looks like
not everyone has updated their bogon access lists to remove this space
from the bogon list.
I think that Cisco's Autosecure feature is part of the
problem here:
http://www.cisco.com/en/US/products/sw/iosswrel/ps5187/products_feature_guide09186a008017d101.html
While it says that bogon filters change, and provides
a URL to check it, what percentage of folks who would
use a feature like "autosecure" would ever update
their filters?
sigh.
What do they do to update that bogon list anyway - push a new IOS image?
srs
Actually, my assumption is anyone with autosecure gets
free software upgrades for life, as this is a flexible list that
will change over time. Each time a change is made they
need to release new software, and notify their installed
customer base.
- jared
... or as long as your support contract with cisco lasts, whichever
comes earlier.
No, cisco providing a time sensitive feature like this
implies free upgrades to repair this critical defect. Just like
they give out free software to people without contracts when
they have a major security vulnerability.
Seems like this falls in the same category to me.
- jared
Analogies suck, but look at (for example) Norton AntiVirus. You pay
for a year of virus definition updates. Then when the year runs out,
Symantec is not going to give you a single new virus definition even
if there's a new worm around that dwarfs Sobig, Klez and all the other
viruses put together ... I can see brand C following a similar
strategy with their bogon updates.
[and that's not a new thing I guess - every single virus that comes
down the pike is written up in the press as the worst and most
virulent virus yet]
Yes, but this is protection of an end-host/end-node, not
a portion of the global internet infrastructure. Bad features like
this and bad behaviour are serious issues when they cause these
ripple effects. It's flat-out defective software to me.
This hurts Ciscos reputation that they are causing
pockets of the internet to not work. Next subnets to get allocated
will increase the size of those pockets and so on. Then the internet
will become less reliable as an end-to-end transport medium, hurting
*everyone*.
At minimum, cisco should be offering free software updates to
people who have the older releases through something simple like
a updated maint release of software (same ver they have running
but with *CORRECT* filters), but doing the minimum isn't
always the best thing as most of us know. Providing a reliable
mechanisim for this to happen is important, and possibly something
that Cisco could productize and sell a for-fee monthly subscription for
(a bgp feed or somesuch like what Team CYMRU provides is an example)
but there are those (Hi Rob & Co.) doing it for free already, so
the key is getting the blackholes minimized that exist today. If
there is software that I can download from CCO that hasn't
been deferred that has these old filters in it, Cisco is being a
poor net.citizen IMHO.
I'm not saying this to trash cisco, many people there know that,
but the important thing is insuring that the global internet isn't
further harmed, and as more allocations are done the harm becomes
greater and it hurts every single person in this industry, providers
and vendors alike.
- Jared
--- Suresh Ramasubramanian <ops.lists@gmail.com>
wrote:
>
> While it says that bogon filters change, and
provides
> a URL to check it, what percentage of folks who
would
> use a feature like "autosecure" would ever update
> their filters?
>What do they do to update that bogon list anyway -
push a new IOS image?
That's a mighty fine question: the link I referenced
is the most recent I was able to find, and its list of
bogons is thoroughly out-of-date. In the interest of
long-term reachability, I would call on Cisco to
remove the IANA-UNASSIGNED blocks from the autosecure
filters.
This will only get worse: consider how bad the GWF
problem is now with the antivirus-response-spam...
David Barak wrote:
--- Suresh Ramasubramanian <ops.lists@gmail.com>
wrote:While it says that bogon filters change, and
provides
a URL to check it, what percentage of folks who
would
use a feature like "autosecure" would ever update
their filters?What do they do to update that bogon list anyway -
push a new IOS image?That's a mighty fine question: the link I referenced
is the most recent I was able to find, and its list of
bogons is thoroughly out-of-date. In the interest of
long-term reachability, I would call on Cisco to
remove the IANA-UNASSIGNED blocks from the autosecure
filters.
I think the last time this was hashed out here, there was a consensus that Cisco should not be promoting a feature that uses a static list for blackholing. The problem is with now-good-bogons bad enough as it is, even with a presumably competent admin responsible for the setup.
Perhaps Cisco could couple this with a scheduled scp to a server of choice, preferably Cisco's, for an update checking feature. At that point I would think perhaps it has a bit more + than - to it.
At any rate it should NOT be tied to IOS images, the vast majority of those never get upgraded. Make ACLS be able to parse their rules from a file stored wherever. Just like that new DHCP static bindings from text file feature.
Joe
I will check on this and get back with
you.
Rodney
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
in-line:
Jared Mauch wrote:
While it says that bogon filters change, and provides
a URL to check it, what percentage of folks who would
use a feature like "autosecure" would ever update
their filters?What do they do to update that bogon list anyway - push a new IOS image?
Actually, my assumption is anyone with autosecure gets
free software upgrades for life, as this is a flexible list that
will change over time. Each time a change is made they
need to release new software, and notify their installed
customer base.
- -------------------
i understand bogon filters and reasoning behind it and i'm all for it.
but why does one think (maybe i missing something) this approach
(autosecure) is scalable and acceptable to update your ios or even
constantly updating your acls every time one has to update their bogon
filters? yet another think to look out for? i like to see the network
availability for aol, google, nasdaq, every time they update their bogons.
why can't this somehow be dynamically updated and /or linked to a
master file as opposed to upgrading the ios?
like to hear more thoughts on it.
regards,
/vicky
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Jared Mauch wrote:
I'm not saying this to trash cisco, many people there know that,
but the important thing is insuring that the global internet isn't
further harmed, and as more allocations are done the harm becomes
greater and it hurts every single person in this industry, providers
and vendors alike.
k, bit my tongue as much as I could... But I gotta vent 
So, Cisco provides this 'AutoSecure' function and everyone jumps all
over the static bogon list. Why? Hello? The basic idea here is that
it gets you decent out of the box setup defaults which you tailor after
running it, right? (NOTE: I haven't actually hit the AUTOSECURE button
yet, just read a little about it)
Whats so bad about decent secure defaults? I just see it as a shortcut
to getting a router online, not a solution to security. If you're
implementing a new router and setting up Bogon filters you should
already know that they'll need to be updated regularly and should
replace the access list with a refreshed one using the autosecure
configuration as a TEMPLATE that you work off of. If you don't know
this, then you shouldn't be in charge of said router. Am I missing
something here???
- --
~ /"\
~ \ / ASCII RIBBON CAMPAIGN
~ X AGAINST HTML MAIL
~ / \
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1Jared Mauch wrote:
> I'm not saying this to trash cisco, many people
there know that,
> but the important thing is insuring that the
global internet isn't
> further harmed, and as more allocations are done
the harm becomes
> greater and it hurts every single person in this
industry, providers
> and vendors alike.k, bit my tongue as much as I could... But I gotta
ventSo, Cisco provides this 'AutoSecure' function and
everyone jumps all
over the static bogon list. Why? Hello? The basic
idea here is that
it gets you decent out of the box setup defaults
which you tailor after
running it, right? (NOTE: I haven't actually hit
the AUTOSECURE button
yet, just read a little about it)
Well, the problem is that the autosecure feature
introduces a static element (address filtering) into a
dynamic world (routing), in a way which is generally
considered "set and forget."
The target audience for autosecure is people who don't
have their own security people on staff, thus ensuring
that the filters will get out of date, and cause
mysterious reachability issues (mysterious, that is,
because no one will think of looking for the problem
in the router...)
Whats so bad about decent secure defaults? I just
see it as a shortcut
to getting a router online, not a solution to
security.
Getting a router online is giving it an IP address.
Translate from geek to English: when someone who is
not-so-technical hears "autosecure" the end result is
something like "automatic transmission" - i.e.
something which doesn't need to be played with except
once every few years.
If you're
implementing a new router and setting up Bogon
filters
The argument is that autosecure SHOULDN'T set up bogon
filters.
you should
already know that they'll need to be updated
regularly and should
replace the access list with a refreshed one using
the autosecure
configuration as a TEMPLATE that you work off of.
If you don't know
this, then you shouldn't be in charge of said
router. Am I missing
something here???
The primary audience for the autosecure feature is
people who really don't quite get routers. No, they
don't have any business with enable, but do they have
it? yes.
Whats so bad about decent secure defaults?
I don't consider a configuration that disenfranchises part of the
internet as "decent [...] defaults." 
Cheers,
Rob
Whats so bad about decent secure defaults?
secure defaults are good...but there are other aspects of cisco ios which
would be better suited to be disabled out of the box: redirects, proxy
arp, tcp/udp small-servers, the lack of decent ssh (this is getting
better), lack of receive acls on all but the big boxen, etc...these are a
few things which would be better to have out of the box.
If you're implementing a new router and setting up Bogon filters you
should already know that they'll need to be updated regularly
read the beginning of this thread - people implement bogon filters
without keeping them up to date already. this is just another mechanism
to do the same thing (but on a larger scale).
If you don't know this, then you shouldn't be in charge of said router.
Am I missing something here???
in an ideal world, yes, this would be true; however we all know the
reality of this. there are already secure config templates available
which people follow without actually knowing the implications of. one
more 'feature' in ios will go unnoticed by most, and thus will be left
out of date...that was, i believe, jared's point.
/joshua
Only thing you're missing is that "shouldn't be in charge of said router"
describes a nice-to-dream-about but nonexistent state of affairs.
I'll go out on a limb and say that 3/4 of the Cisco routers in production use
are managed by unqualified network monkeys employed by the leaf sites. The fact
that they get one interface connected to their local LAN, and the other
interface connected to the fractional T-1 back to the ISP, and that packets
make it from the LAN to www.google.com and back is amazing enough. Expecting
them to do things like proper inbound bogon filtering and outbound 1918 egress
filtering is pushing it...
In other words, the only people who are likely to *use* the autosecure feature
are people who (a) will Get It Wrong (either at initial config, or failure to
update it regularly), (b) aren't reading this list anyhow (or any other
place where they're likely to see the "Update your bogons" mantra), and
(c) indeed shouldn't have "enable".
[...]
I beg to differ - 3/4 of the Cisco routers in (enterprise) production are
*unmaintained*. These will have a variety of vulnerable, buggy or just plain
crap IOS versions and no-one would've even considered upgrading for years.
If filters depend on IOS upgrades then those filters are there to stay.
ISPs will of course feed their routers more often, but to be honest
anyone else looks at their network kit only when there's something far wrong
with it.
Hi, NANOGers.
Will makes an excellent point here:
] I beg to differ - 3/4 of the Cisco routers in (enterprise) production are
] *unmaintained*. These will have a variety of vulnerable, buggy or just plain
] crap IOS versions and no-one would've even considered upgrading for years.
While I don't have any numbers, I can say that we see a LOT of
routers overtly compromised and modified as a result. The
modifications are generally scripted, and include changing the
passwords (to anything but "cisco"), disabling logging, and
adding filters. You'd think such things would be rather
obvious, and they are, yet no one notices.
Most of these compromised routers are at the end of FR or
frac-T connections. I suspect a great many of them were
configured once, then left to rot with the same code and
configuration for years and years.
Thanks,
Rob.