David Barak wrote:
I think the last time this was hashed out here, there was a consensus that Cisco should not be promoting a feature that uses a static list for blackholing. The problem is with now-good-bogons bad enough as it is, even with a presumably competent admin responsible for the setup.--- Suresh Ramasubramanian <[EMAIL PROTECTED]> wrote:
David Barak <[EMAIL PROTECTED]> wrote:
While it says that bogon filters change, andprovides
a URL to check it, what percentage of folks whowould
use a feature like "autosecure" would ever update
their filters?
What do they do to update that bogon list anyway - push a new IOS image?
That's a mighty fine question: the link I referenced is the most recent I was able to find, and its list of bogons is thoroughly out-of-date. In the interest of long-term reachability, I would call on Cisco to remove the IANA-UNASSIGNED blocks from the autosecure filters.
Perhaps Cisco could couple this with a scheduled scp to a server of choice, preferably Cisco's, for an update checking feature. At that point I would think perhaps it has a bit more + than - to it.
At any rate it should NOT be tied to IOS images, the vast majority of those never get upgraded. Make ACLS be able to parse their rules from a file stored wherever. Just like that new DHCP static bindings from text file feature.
Joe