128.0.0.0/16 configured as martians in some routers
Dear Colleagues, The RIPE NCC is aware that 128.0.0.0/16 is configured as a martian by default in (some) Juniper OS, even though RFC 5735 and RFC3330 outline that this /16 should no longer be reserved as specialised address space. All allocations that were already issued have been exchanged and for now we will hold this space in quarantine. We urge everyone to change the default behaviour of their Juniper routers: set routing-options martians 128.0.0.0/16 orlonger allow set routing-options martians 191.255.0.0/16 orlonger allow set routing-options martians 223.255.255.0/24 exact allow 128.0.0.0/16 has been added to the RIPE NCC's Debogonising Project: http://www.ris.ripe.net/debogon/ To facilitate testing, the following prefixes are being announced: prefix pinagble address 128.0.0.0/16 128.0.0.1 128.0.8.0/21 128.0.8.1 128.0.24.0/24 128.0.24.1 Best regards, Alex Le Heux Policy Implementation Co-ordinator RIPE NCC
Dear Colleagues, The correct prefix and pingable address list for the Debogonising Project is: prefix pinagble address 128.0.0.0/21 128.0.0.1 128.0.24.0/24 128.0.24.1 Our apologies for the oversight. Best regards, Alex Le Heux Policy Implementation Co-ordinator RIPE NCC On Dec 5, 2011, at 16:20, Alex Le Heux wrote:
Dear Colleagues,
The RIPE NCC is aware that 128.0.0.0/16 is configured as a martian by default in (some) Juniper OS, even though RFC 5735 and RFC3330 outline that this /16 should no longer be reserved as specialised address space.
All allocations that were already issued have been exchanged and for now we will hold this space in quarantine.
We urge everyone to change the default behaviour of their Juniper routers:
set routing-options martians 128.0.0.0/16 orlonger allow set routing-options martians 191.255.0.0/16 orlonger allow set routing-options martians 223.255.255.0/24 exact allow
128.0.0.0/16 has been added to the RIPE NCC's Debogonising Project:
http://www.ris.ripe.net/debogon/
To facilitate testing, the following prefixes are being announced:
prefix pinagble address
128.0.0.0/16 128.0.0.1 128.0.8.0/21 128.0.8.1 128.0.24.0/24 128.0.24.1
Best regards,
Alex Le Heux Policy Implementation Co-ordinator RIPE NCC
Once upon a time, Alex Le Heux <alexlh@ripe.net> said:
Dear Colleagues,
The correct prefix and pingable address list for the Debogonising Project is:
prefix pinagble address
128.0.0.0/21 128.0.0.1 128.0.24.0/24 128.0.24.1
Our apologies for the oversight.
Are these prefixes being announced widely? I don't see anything for 128.0.0.0/16 from my upstreams, nor at many public looking glasses. -- Chris Adams <cmadams@hiwaay.net> Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble.
We do have it from Level3: C:\Documents and Settings\TAYEB>tracert 128.0.0.1 Détermination de l'itinéraire vers 128.0.0.1 avec un maximum de 30 sauts. 1 1 ms 3 ms 3 ms 172.28.0.1 2 3 ms 3 ms 3 ms 10.16.0.1 3 13 ms 15 ms 16 ms 41.200.0.1 4 32 ms 12 ms 16 ms 172.17.2.25 5 15 ms 16 ms 16 ms 213.140.58.10 6 35 ms 40 ms 34 ms 212.73.253.65 7 39 ms 39 ms 39 ms ae-5-6.bar2.Marseille1.Level3.net [4.69.151.13] 8 52 ms 76 ms 54 ms ae-15-15.ebr1.Frankfurt1.Level3.net [4.69.143.24 6] 9 56 ms 56 ms 55 ms ae-81-81.csw3.Frankfurt1.Level3.net [4.69.140.10 ] 10 55 ms 55 ms 57 ms ae-82-82.ebr2.Frankfurt1.Level3.net [4.69.140.25 ] 11 58 ms 67 ms 62 ms ae-46-46.ebr1.Dusseldorf1.Level3.net [4.69.143.1 69] 12 55 ms 55 ms 56 ms ae-24-24.ebr2.Dusseldorf1.Level3.net [4.69.143.1 94] 13 172 ms 58 ms 57 ms ae-48-48.ebr1.Amsterdam1.Level3.net [4.69.143.20 9] 14 58 ms 58 ms 67 ms ae-59-114.csw1.Amsterdam1.Level3.net [4.69.153.1 98] 15 60 ms 62 ms 62 ms ae-19-51.sar1.Amsterdam1.Level3.net [4.69.139.14 6] 16 * 56 ms 58 ms 128.0.0.1 Itinéraire déterminé. C:\Documents and Settings\TAYEB> ----- Original Message ----- From: "Chris Adams" <cmadams@hiwaay.net> To: "Alex Le Heux" <alexlh@ripe.net> Cc: <nanog@nanog.org> Sent: Monday, December 05, 2011 9:44 PM Subject: Re: 128.0.0.0/16 configured as martians in some routers
Once upon a time, Alex Le Heux <alexlh@ripe.net> said:
Dear Colleagues,
The correct prefix and pingable address list for the Debogonising Project is:
prefix pinagble address
128.0.0.0/21 128.0.0.1 128.0.24.0/24 128.0.24.1
Our apologies for the oversight.
Are these prefixes being announced widely? I don't see anything for 128.0.0.0/16 from my upstreams, nor at many public looking glasses.
-- Chris Adams <cmadams@hiwaay.net> Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble.
__________ Information from ESET NOD32 Antivirus, version of virus signature database 6686 (20111205) __________
The message was checked by ESET NOD32 Antivirus.
__________ Information from ESET NOD32 Antivirus, version of virus signature database 6686 (20111205) __________ The message was checked by ESET NOD32 Antivirus. http://www.eset.com
I'm see them from NTT. -Kyle On Mon, Dec 5, 2011 at 11:44 AM, Chris Adams <cmadams@hiwaay.net> wrote:
Once upon a time, Alex Le Heux <alexlh@ripe.net> said:
Dear Colleagues,
The correct prefix and pingable address list for the Debogonising Project is:
prefix pinagble address
128.0.0.0/21 128.0.0.1 128.0.24.0/24 128.0.24.1
Our apologies for the oversight.
Are these prefixes being announced widely? I don't see anything for 128.0.0.0/16 from my upstreams, nor at many public looking glasses.
-- Chris Adams <cmadams@hiwaay.net> Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble.
On 12/5/2011 1:44 PM, Chris Adams wrote:
Once upon a time, Alex Le Heux<alexlh@ripe.net> said:
Dear Colleagues,
The correct prefix and pingable address list for the Debogonising Project is:
prefix pinagble address
128.0.0.0/21 128.0.0.1 128.0.24.0/24 128.0.24.1
Our apologies for the oversight.
Are these prefixes being announced widely? I don't see anything for 128.0.0.0/16 from my upstreams, nor at many public looking glasses.
Once I updated junos 10.4R7.5 martian list, I saw them both from level3 and qwest, but not from Sprint. Jack
Once upon a time, Jack Bates <jbates@brightok.net> said:
On 12/5/2011 1:44 PM, Chris Adams wrote:
Once upon a time, Alex Le Heux<alexlh@ripe.net> said:
Dear Colleagues,
The correct prefix and pingable address list for the Debogonising Project is:
prefix pinagble address
128.0.0.0/21 128.0.0.1 128.0.24.0/24 128.0.24.1
Our apologies for the oversight.
Are these prefixes being announced widely? I don't see anything for 128.0.0.0/16 from my upstreams, nor at many public looking glasses.
Once I updated junos 10.4R7.5 martian list, I saw them both from level3 and qwest, but not from Sprint.
Sorry, I should have said where I looked. I'm not seeing them from Sprint or CenturyLink, nor am I seeing them at route-views/looking glasses from AT&T or TWTC. -- Chris Adams <cmadams@hiwaay.net> Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble.
Here is my little table for 128.0.0.0/21 based on our upstreams: AS7922: Yes AS174: No AS2914: Yes AS3257: Yes AS2914: Yes AS2828: No AS209: Yes John @ AS11404
If anyone on Cogent is lurking, we are not receiving the announcements yet in our BGP table. Double checked on the looking glass, and it looks company wide. http://www.cogentco.com/en/network/looking-glass The space is seen through Level3... Sincerely, Eric Tykwinski TrueNet, Inc. P: 610-429-8300 F: 610-429-3222 -----Original Message----- From: Alex Le Heux [mailto:alexlh@ripe.net] Sent: Monday, December 05, 2011 10:49 AM To: Routing WG Cc: lacnog@lacnic.net; PacNOG List; nanog@nanog.org; menog@menog.net; UKNOF List; SANOG List; ncc-announce@ripe.net; Address Policy Working Group; AfNOG List Subject: Re: [ncc-announce] 128.0.0.0/16 configured as martians in some routers Dear Colleagues, The correct prefix and pingable address list for the Debogonising Project is: prefix pinagble address 128.0.0.0/21 128.0.0.1 128.0.24.0/24 128.0.24.1 Our apologies for the oversight. Best regards, Alex Le Heux Policy Implementation Co-ordinator RIPE NCC
we are also receyving it through level3. ----- Original Message ----- From: "Eric Tykwinski" <eric-list@truenet.com> To: "'Alex Le Heux'" <alexlh@ripe.net> Cc: <nanog@nanog.org> Sent: Friday, December 09, 2011 4:22 PM Subject: RE: [ncc-announce] 128.0.0.0/16 configured as martians in some routers
If anyone on Cogent is lurking, we are not receiving the announcements yet in our BGP table.
Double checked on the looking glass, and it looks company wide. http://www.cogentco.com/en/network/looking-glass
The space is seen through Level3...
Sincerely,
Eric Tykwinski TrueNet, Inc. P: 610-429-8300 F: 610-429-3222
-----Original Message----- From: Alex Le Heux [mailto:alexlh@ripe.net] Sent: Monday, December 05, 2011 10:49 AM To: Routing WG Cc: lacnog@lacnic.net; PacNOG List; nanog@nanog.org; menog@menog.net; UKNOF List; SANOG List; ncc-announce@ripe.net; Address Policy Working Group; AfNOG List Subject: Re: [ncc-announce] 128.0.0.0/16 configured as martians in some routers
Dear Colleagues,
The correct prefix and pingable address list for the Debogonising Project is:
prefix pinagble address
128.0.0.0/21 128.0.0.1 128.0.24.0/24 128.0.24.1
Our apologies for the oversight.
Best regards,
Alex Le Heux Policy Implementation Co-ordinator RIPE NCC
__________ Information from ESET NOD32 Antivirus, version of virus signature database 6697 (20111209) __________
The message was checked by ESET NOD32 Antivirus.
__________ Information from ESET NOD32 Antivirus, version of virus signature database 6697 (20111209) __________ The message was checked by ESET NOD32 Antivirus. http://www.eset.com
* Alex Le Heux:
The RIPE NCC is aware that 128.0.0.0/16 is configured as a martian by default in (some) Juniper OS, even though RFC 5735 and RFC3330 outline that this /16 should no longer be reserved as specialised address space.
Would someone please clarify the impact? Will it result in a blackhole, or will the entire announcement be suppressed? I suspect the latter, given what we see and what Chris Adams has reported. -- Florian Weimer <fweimer@bfk.de> BFK edv-consulting GmbH http://www.bfk.de/ Kriegsstraße 100 tel: +49-721-96201-1 D-76133 Karlsruhe fax: +49-721-96201-99
On Tuesday, December 06, 2011 04:50:46 PM Florian Weimer wrote:
Would someone please clarify the impact? Will it result in a blackhole, or will the entire announcement be suppressed? I suspect the latter, given what we see and what Chris Adams has reported.
This is what we see on Cisco IOS and IOS XR boxes: lab#sh ip bgp 128.0.0.0 BGP routing table entry for 128.0.0.0/21, version 260804693 Paths: (2 available, best #1, table default) Advertised to update-groups: 2 3491 3257 1103 12654 61.11.xxx.yy (metric 34400) from 61.11.xxx.zz (61.11.xxx.zz) Origin IGP, metric 0, localpref 100, valid, internal, best Community: 24218:1 Originator: 61.11.xxx.yy, Cluster list: 0.0.0.2 3491 3257 1103 12654 61.11.xxx.yy (metric 34400) from 61.11.xxx.ww (61.11.xxx.ww) Origin IGP, metric 0, localpref 100, valid, internal Community: 24218:1 Originator: 61.11.xxx.yy, Cluster list: 0.0.0.2 lab# RP/0/RSP0/CPU0:lab#sh route 128.0.0.0 Tue Dec 6 17:09:13.439 MYT Routing entry for 128.0.0.0/21 Known via "bgp 24218", distance 200, metric 0 Tag 3491, type internal Installed Dec 4 20:00:33.089 for 1d21h Routing Descriptor Blocks 61.11.xxx.yy, from 61.11.yyy.zz Route metric is 0 No advertising protos. RP/0/RSP0/CPU0:lab# This is what we see on an unfixed Juniper: tinka@lab# run show route 128.0.0.0 inet.0: 384214 destinations, 768288 routes (384212 active, 0 holddown, 4 hidden) Restart Complete + = Active Route, - = Last Active, * = Both 0.0.0.0/0 *[Static/5] 20w2d 13:21:14 Discard [edit] tinka@lab# tinka@lab# run show route 128.0.0.0/21 inet.0: 384218 destinations, 768296 routes (384216 active, 0 holddown, 4 hidden) Restart Complete [edit] tinka@lab# tinka@edge-gw-1-sin-pip.sg# run show route 128.0.0.0/21 hidden inet.0: 384224 destinations, 768308 routes (384222 active, 0 holddown, 4 hidden) Restart Complete + = Active Route, - = Last Active, * = Both 128.0.0.0/21 [BGP/170] 1d 21:17:54, MED 0, localpref 100, from 61.11.xxx.ww AS path: 3491 3257 1103 12654 I > to 124.158.xxx.uu via ge-0/0/0.0, Push 16052 to 124.158.xxx.vv via ge-0/0/0.0, Push 16017 to 124.158.xxx.ww via ge-0/1/0.0, Push 16052 to 124.158.xxx.xx via ge-0/1/0.0, Push 16017 [BGP/170] 1d 21:17:54, MED 0, localpref 100, from 61.11.xxx.zz AS path: 3491 3257 1103 12654 I > to 124.158.xxx.uu via ge-0/0/0.0, Push 16052 to 124.158.xxx.vv via ge-0/0/0.0, Push 16017 to 124.158.xxx.ww via ge-0/1/0.0, Push 16052 to 124.158.xxx.xx via ge-0/1/0.0, Push 16017 [edit] tinka@edge-gw-1-sin-pip.sg# tinka@lab# run show route 128.0.0.0/21 hidden extensive | match State State: <Hidden Martian Int Ext> State: <Hidden Martian Int Ext> [edit] tinka@lab# tinka@lab# run show interfaces terse <snip> ... fxp1 up up fxp1.0 up up inet 10.0.0.1/8 10.0.0.4/8 128.0.0.1/2 128.0.0.4/2 inet6 fe80::200:ff:fe00:4/64 fec0::a:0:0:4/64 tnp 0x4 <snip> ... [edit] tinka@lab# This is what we see on a Cisco router which lives behind an unfixed Juniper router that is peering externally: lab#sh ip bgp 128.0.0.0 % Network not in table lab# So our deduction - if a Juniper router is in the data path, it will blackhole traffic destined to this address. If a Juniper is in the control plane path, it will filter this prefix and not send it to the rest of the network. Either way, you're screwed :-). Cheers, Mark.
On 12/6/11 00:50 , Florian Weimer wrote:
* Alex Le Heux:
The RIPE NCC is aware that 128.0.0.0/16 is configured as a martian by default in (some) Juniper OS, even though RFC 5735 and RFC3330 outline that this /16 should no longer be reserved as specialised address space.
Would someone please clarify the impact? Will it result in a blackhole, or will the entire announcement be suppressed? I suspect the latter, given what we see and what Chris Adams has reported.
http://www.juniper.net/techpubs/en_US/junos10.2/topics/usage-guidelines/rout...
For those who might not be aware, an OS-level fix has been integrated into the following Junos releases: - 10.0R5 - 10.4R8 - 10.4R9 - 11.1R7 - 11.2R4 - 11.3R3 - 11.4R1 - 11.4R2 - 12.1R1 Cheers, Mark.
Hi Alex, In Dayton, Ohio, US, we are not seeing any 128... routes from TWTC (AS 4323). In St. Louis, Ohio, US, we are seeing the 128.0.0.0/21 via Level 3 (AS 3356). David Swafford, Sr. Network Engineer, CareSource On Mon, Dec 5, 2011 at 10:20 AM, Alex Le Heux <alexlh@ripe.net> wrote:
Dear Colleagues,
The RIPE NCC is aware that 128.0.0.0/16 is configured as a martian by default in (some) Juniper OS, even though RFC 5735 and RFC3330 outline that this /16 should no longer be reserved as specialised address space.
All allocations that were already issued have been exchanged and for now we will hold this space in quarantine.
We urge everyone to change the default behaviour of their Juniper routers:
set routing-options martians 128.0.0.0/16 orlonger allow set routing-options martians 191.255.0.0/16 orlonger allow set routing-options martians 223.255.255.0/24 exact allow
128.0.0.0/16 has been added to the RIPE NCC's Debogonising Project:
http://www.ris.ripe.net/debogon/
To facilitate testing, the following prefixes are being announced:
prefix pinagble address
128.0.0.0/16 128.0.0.1 128.0.8.0/21 128.0.8.1 128.0.24.0/24 128.0.24.1
Best regards,
Alex Le Heux Policy Implementation Co-ordinator RIPE NCC
participants (11)
-
Alex Le Heux
-
Chris Adams
-
David Swafford
-
Eric Tykwinski
-
Florian Weimer
-
Jack Bates
-
Joel jaeggli
-
John van Oppen
-
Kyle Duren
-
Mark Tinka
-
Meftah Tayeb