Bogon Filter - Please check for 77/8 78/8 79/8
Hi *, in august IANA handed 77/8 78/8 79/8 to RIPE which started handing out those ranges 2 months ago. We (Telefonica Deutschland AS6805) are seeing a lot of reachability problems most likely caused by not updated bogon filters. For testing purposes 77.181.114.4 aka bogon.mediaways.net is up for icmp/http. Please check and possibly update your filters. Flo (aka flo@telefonica.de) -- Florian Lohoff flo@rfc822.org +49-171-2280134 Heisenberg may have been here.
Florian Lohoff wrote:
Hi *, in august IANA handed 77/8 78/8 79/8 to RIPE which started handing out those ranges 2 months ago.
We (Telefonica Deutschland AS6805) are seeing a lot of reachability problems most likely caused by not updated bogon filters.
For testing purposes 77.181.114.4 aka bogon.mediaways.net is up for icmp/http.
Please check and possibly update your filters.
Flo (aka flo@telefonica.de)
This probably isn't helped much by sites like completewhois.com still showing these ranges as bogons.. http://www.completewhois.com/bogons/active_bogons.htm They've ignored all my attempts to get them to update so far.. sigh.. Allan Houston - IP Network Operations Tel : +44 1483 582615 ntl: Telewest
Allan Houston wrote:
This probably isn't helped much by sites like completewhois.com still showing these ranges as bogons..
http://www.completewhois.com/bogons/active_bogons.htm
They've ignored all my attempts to get them to update so far.. sigh..
They just need someone using the address space to slap them with a lawsuit. Jack Bates
On Mon, 11 Dec 2006, Jack Bates wrote:
Allan Houston wrote:
This probably isn't helped much by sites like completewhois.com still showing these ranges as bogons..
http://www.completewhois.com/bogons/active_bogons.htm
They've ignored all my attempts to get them to update so far.. sigh..
They just need someone using the address space to slap them with a lawsuit.
why would you let a third party not related to your business directly affect packet forwarding capabilities on your network? (in other words, why would you use them?)
So we're saying that a lawsuit is an intelligent method to force someone else to correct something that you are simply using to avoid the irritation of manually updating things yourself??? That seems to be the epitomy of laziness vs. litigousness. Scott -----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] Sent: Monday, December 11, 2006 9:55 AM To: Jack Bates Cc: nanog@merit.edu Subject: Re: Bogon Filter - Please check for 77/8 78/8 79/8 On Mon, 11 Dec 2006, Jack Bates wrote:
Allan Houston wrote:
This probably isn't helped much by sites like completewhois.com still showing these ranges as bogons..
http://www.completewhois.com/bogons/active_bogons.htm
They've ignored all my attempts to get them to update so far.. sigh..
They just need someone using the address space to slap them with a
lawsuit.
no, he's saying that a lawsuit is a useful method of forcing someone who is intentionally or negligently distributing incorrect information that other people who do not know any better then believe and use in their own networks. i betcha libel laws aren't written in such a way that they are useful here, however, there might be some kind of restraint of trade thing that could be invoked or somesuch. ianal, not my dept. ---rob "Scott Morris" <swm@emanon.com> writes:
So we're saying that a lawsuit is an intelligent method to force someone else to correct something that you are simply using to avoid the irritation of manually updating things yourself???
That seems to be the epitomy of laziness vs. litigousness.
Scott
-----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] Sent: Monday, December 11, 2006 9:55 AM To: Jack Bates Cc: nanog@merit.edu Subject: Re: Bogon Filter - Please check for 77/8 78/8 79/8
On Mon, 11 Dec 2006, Jack Bates wrote:
Allan Houston wrote:
This probably isn't helped much by sites like completewhois.com still showing these ranges as bogons..
http://www.completewhois.com/bogons/active_bogons.htm
They've ignored all my attempts to get them to update so far.. sigh..
They just need someone using the address space to slap them with a
lawsuit.
On Mon, Dec 11, 2006 at 10:28:27AM -0500, Robert E. Seastrom wrote:
no, he's saying that a lawsuit is a useful method of forcing someone who is intentionally or negligently distributing incorrect information that other people who do not know any better then believe and use in their own networks.
i betcha libel laws aren't written in such a way that they are useful here, however, there might be some kind of restraint of trade thing that could be invoked or somesuch. ianal, not my dept.
My recommendation is to write a letter (in german) and fax it over to their fax# with the urls clearly written out (eg: iana vs their url) showing the problem with the address space. it'll likely sufficently confuse someone that they'll be curious and research it and solve the problem. linking to stuff like the bogon-announce list too wouldn't be a bad idea either :) - jared
---rob
"Scott Morris" <swm@emanon.com> writes:
So we're saying that a lawsuit is an intelligent method to force someone else to correct something that you are simply using to avoid the irritation of manually updating things yourself???
That seems to be the epitomy of laziness vs. litigousness.
Scott
-----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] Sent: Monday, December 11, 2006 9:55 AM To: Jack Bates Cc: nanog@merit.edu Subject: Re: Bogon Filter - Please check for 77/8 78/8 79/8
On Mon, 11 Dec 2006, Jack Bates wrote:
Allan Houston wrote:
This probably isn't helped much by sites like completewhois.com still showing these ranges as bogons..
http://www.completewhois.com/bogons/active_bogons.htm
They've ignored all my attempts to get them to update so far.. sigh..
They just need someone using the address space to slap them with a
lawsuit.
-- Jared Mauch | pgp key available via finger from jared@puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine.
Stephen Satchell wrote:
Jared Mauch wrote:
linking to stuff like the bogon-announce list too wouldn't be a bad idea either :)
Bogon announce list?
Read here: http://www.cymru.com/ And you will find: http://puck.nether.net/mailman/listinfo/bogon-announce Btw it is the first hit on google(bogon announce list) Greets, Jeroen
* Jared Mauch:
My recommendation is to write a letter (in german) and fax it over to their fax# with the urls clearly written out (eg: iana vs their url) showing the problem with the address space. it'll likely sufficently confuse someone that they'll be curious and research it and solve the problem.
Isn't completewhois.com William's project? I doubt he cares about German letters if he doesn't even notice the peer pressure on NANOG.
[After the very short IANAL part, an operational part wrt 2001:678::/29] Robert E. Seastrom wrote:
no, he's saying that a lawsuit is a useful method of forcing someone who is intentionally or negligently distributing incorrect information that other people who do not know any better then believe and use in their own networks.
If that is the basis that people sue on, then I really wonder all of a sudden when somebody will sue their government, news agencies and all those nice magazines where those paparazzi stalkers are working for. But to keep this nice and operational: Just as a side example: 2001:678:1::/48 is a "DNS Anycast Block". ftp://ftp.ripe.net/pub/stats/ripencc/delegated-ripencc-latest doesn't list this yet, even though it was allocated 2 months ago. There was though a 2001:678::/35 block previously (which is still in the above file but not in whois anymore). GRH thus listed this falsely. Should I thus be liable for publishing information that is wrong, as GRH was listing the /48 "Subnet of a big allocation", which it in effect was, as it was, according to the tool, part of the /35. grh.sixxs.net> show bgp 2001:678:1::/48 BGP routing table entry for 2001:678:1::/48 Paths: (32 available, best #30, table Default-IP-Routing-Table) And that is out of about 100 peers that GRH has. As such can I ask the community, people who are maintaining routers, to check their filters and start accepting these prefixes? Thank you. As many people rely on the 'delegated-<RIR>-latest' files for producing their filters, I have contacted RIPE NCC to resolve that issue, most likely that will then automatically punch the appropriate holes into the automated tools which rely on it. GRH though has been updated manually already. When RIPE NCC has fixed it up, I'll follow up to ISP's that have not fixed up their filters yet, so that that number comes quite a bit closer to 100. Thanks to Simon Leinen for reporting it btw as I hadn't noticed it: am I thus liable for 'spreading false info' ? Greets, Jeroen (glad to not be in the US :)
On Mon, 11 Dec 2006, Robert E. Seastrom wrote:
no, he's saying that a lawsuit is a useful method of forcing someone who is intentionally or negligently distributing incorrect information that other people who do not know any better then believe and use in their own networks.
i betcha libel laws aren't written in such a way that they are useful here, however, there might be some kind of restraint of trade thing that could be invoked or somesuch. ianal, not my dept.
If you google for it, you'll find lots of obsolete bogon info, typically lacking the suggestion to check IANA's web site or other resources to check the freshness of the data or any warning that the data will change over time as more space gets allocated.
From the first page of google: bogon ACL cisco http://www.tech-recipes.com/modules.php?name=Forums&file=viewtopic&p=6817
Do you threaten to sue them all? The real problems are all the networks that setup static bogon filters some time ago which nobody maintains or in some cases, even knows about. Changing a few web sites won't fix any of those routers. It's a lousy position to be in, but my suggestion is try to make contact with the bigger / more important networks blocking your new space and let the rest of them figure it out on their own. I'm surprised William's site hasn't been updated. He used to be fairly active online. Has anyone heard from him at all recently? ---------------------------------------------------------------------- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
Scott Morris wrote:
So we're saying that a lawsuit is an intelligent method to force someone else to correct something that you are simply using to avoid the irritation of manually updating things yourself???
That seems to be the epitomy of laziness vs. litigousness.
Scott
-----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] Sent: Monday, December 11, 2006 9:55 AM To: Jack Bates Cc: nanog@merit.edu Subject: Re: Bogon Filter - Please check for 77/8 78/8 79/8
On Mon, 11 Dec 2006, Jack Bates wrote:
Allan Houston wrote:
This probably isn't helped much by sites like completewhois.com still showing these ranges as bogons..
http://www.completewhois.com/bogons/active_bogons.htm
They've ignored all my attempts to get them to update so far.. sigh..
They just need someone using the address space to slap them with a
lawsuit.
I've spent a fairly substantial amount of time over the last few weeks attempting to get ISPs / hosting centers / little Johnny's server in his mom's basement to debogonise my 77.96.0.0/13 prefix. I can tell you that I've heard no less than four times from networking bods that we're still listed as a bogon on completewhois.com, that they don't think they need to update their filters etc etc. So while I agree entirely that you shouldn't use these sites for accurate filters, we have to recognise that in an imperfect world there are some people who do choose to use them, no matter how silly we feel it is.. Guess the point I'm making is that chasing down bad bogons is a frustrating enough task without an alledgedly accurate listing site posting out of date info. PS - if anyone has a networking contact at ev1servers.net , please send me a mail because I'm getting hair loss I can ill afford trying to get them to remove their bogon filters.
So we're saying that a lawsuit is an intelligent method to force someone else to correct something that you are simply using to avoid the irritation of manually updating things yourself???
That seems to be the epitomy of laziness vs. litigousness. I think the point is that people are trusting this "self appointed" authority and thus others are blocking _his_ legitimate traffic.
If you're going to appoint yourself an "authority" then you have a responsibility to be accurate. If you're too lazy to keep your lists up to date then you need to stop offering said lists. As an admin I can't stop other people from using such an idiotic list. However I can sue the list for libel- after all they are printing the incorrect fact that the traffic I am sending is bogus and thus are harming my reputation and impacting my business. Seems to me like this is _exactly_ what the courts are for. There is no gray area- it's not a question of whether or not this is spam for example. This list is publishing the false statement that the traffic this ISP is trying to send is bogus. If they won't correct their mistake then you absolutely should be able to petition the courts to get them to stop publishing false information about you. -Don
Scott Morris wrote:
So we're saying that a lawsuit is an intelligent method to force someone else to correct something that you are simply using to avoid the irritation of manually updating things yourself???
That seems to be the epitomy of laziness vs. litigousness.
Scott
I would doubt the person using a bogon list would be the initiator of a lawsuit. It would be more plausible that the person using the netspace listed incorrectly as a bogon would have just cause for filing a lawsuit. It's annoying enough to chase after all the people who manually configure bogon networks and forget them in their firewalls. From previous posts, it appears that this is a case of continued propagation of incorrect information after being notified of the inaccuracy, and the information is published as being fact; implying accuracy. Jack Bates
So we're saying that a lawsuit is an intelligent method to force someone else to correct something that you are simply using to avoid the irritation of manually updating things yourself???
That seems to be the epitomy of laziness vs. litigousness.
Scott
No, but a lawsuit may be an intelligent method to force someone to correct something that other people are using to avoid the irritation of manually updating things themselves. I agree it would be idiotic if someone using the bogon list were to sue the list operator because they didn't like what was on the list and it was harming them. If all other methods fail to get the bogon list updated, which is easier: A) Track down everyone using the bogon list and convince them to switch to manually updating their own list of bogons so that they can reach you. B) Threaten the bogon list operator with a lawsuit for falsely claiming your addresses are bogons and hope they take the simplest path and fix their list. This is a pretty classic case of someone inducing other people to rely on the accuracy of their data and then offering incorrect data (not arguably incorrect, manifestly incorrect and most likely negligently so) which those other people then rely on. It's no different from a credit report with inaccurate information affecting a consumer who did not choose to have his credit tracked by the agency providing the information. We generally recognize third parties have a right to sue to correct negligently demonstrably incorrect information about them when that information harms them. This is not like lists of spam sources where the list is correctly reporting information the spammer would prefer to suppress. This is a case where the list is wrong, and it's harming other people who stupidly relied on it and people who never chose to rely on it. If you set up a service and induce people to use it and rely on it, there definitely should be some minimum standard of quality you should be held to. I think failing to update a bogon list to reflect address space that is no longer a bogon within a week or so is negligence under any standard of care. DS
B) Threaten the bogon list operator with a lawsuit for falsely claiming your addresses are bogons and hope they take the simplest path and fix their list.
This is a pretty classic case of someone inducing other people to rely on the accuracy of their data and then offering incorrect data (not arguably incorrect, manifestly incorrect and most likely negligently so) which
those
other people then rely on.
It's not just incorrect data. The design of the system used by completewhois is flawed at the core. They only know that certain address ranges are "bogons" at a certain point in time. If their system only reported this fact along with the date for which it is known to be valid, then they would likely win any lawsuits for incorrect data. The fact is, that you can only know that an address range is a bogon at the point in time which you check it and that it WAS a bogon for some past period. For most bogons, it is not possible to predict the future time period during which it will remain a bogon. Any protocol which does not allow the address range to be presented along with the LAST TIME IT WAS CHECKED is simply not suitable for presenting a bogon list. BGP simply is not suitable for this. HTTP/REST, XML-RPC or LDAP could be used to make a suitable protocol. But even better would be to not have any bogons at all. If IANA and the RIRs would step up to the plate and provide an authoritative data source identifying which address ranges have been issued for use on the Internet then bogon lists would not be needed at all. And if people plug their systems into the RIR data feed, then there would be fewer issues when the RIRs start issuing addresses from a new block. IANA would be the authoritative source for stuff like RFC 1918 address ranges and other non-RIR ranges. One wonders whether it might not be more effective in the long run to sue ICANN/IANA rather than suing completewhois.com. --Michael Dillon P.S. As any lawyer will tell you, it is a good idea to make some attempt at solving your issue outside of the courts. Anyone contemplating a lawsuit against ICANN should probably try emailing them and writing a few letters first. Since they are a somewhat democratic structure, it may be possible to get this fixed without lawsuits.
On Wed, 13 Dec 2006 Michael.Dillon@btradianz.com wrote:
It's not just incorrect data. The design of the system used by completewhois is flawed at the core.
No more so that other systems that rely on automation with some human involvement but see below as I generally agree with what you meant.
They only know that certain address ranges are "bogons" at a certain point in time. If their system only reported this fact along with the date for which it is known to be valid, then they would likely win any lawsuits for incorrect data.
Timestamps are included in every generated file. There is general timestamp when full list was put together (usually daily and that's what almost everyone is using) but also there are different timestamps for each individual list which for semi-static list like IANA allocations, IANA bogons, IANA special-use blocks are updated only when this list is manually updated.
The fact is, that you can only know that an address range is a bogon at the point in time which you check it and that it WAS a bogon for some past period. For most bogons, it is not possible to predict the future time period during which it will remain a bogon.
That is why system is doing rebuilding on daily basis.
Any protocol which does not allow the address range to be presented along with the LAST TIME IT WAS CHECKED is simply not suitable for presenting a bogon list. BGP simply is not suitable for this. HTTP/REST, XML-RPC or LDAP could be used to make a suitable protocol.
I know you like LDAP a lot, but its not protocol that have found support in operations community (as opposed to say RSYNC not mentioned above...). But as I've already thought about it before, I'll look into making data about each individual entry available by whois lookups and extended text file with comments (# after each entry) with these comments also see in TEXT DNS lookups.
But even better would be to not have any bogons at all. If IANA and the RIRs would step up to the plate and provide an authoritative data source identifying which address ranges have been issued for use on the Internet then bogon lists would not be needed at all. And if people plug their systems into the RIR data feed, then there would be fewer issues when the RIRs start issuing addresses from a new block. IANA would be the authoritative source for stuff like RFC 1918 address ranges and other non-RIR ranges.
SIDR will provide authoritative signed data, but it maybe quite some time (my guess at least 10 years) before we see majority of BGP advertised blocks with signed certificates available (and as to ALL doing it, I fear to guess...). And I do agree with you about IANA; not only that but at the first (?) IETF SIDR meeting I even mentioned need for IANA to distribute certificates for non-allocated and special-use blocks. Others weren't very optimistic that they'd step up; in fact put it this way - by the time they may get to it, there may no longer by any unassigned IPv4 blocks left. P.S. I'd be curious if there are people who would like to see daily "activebogons" list as email report including section about changes from yesterday to today, I don't want to just send something like this to some list I've not been invited to do so but can setup separate list for this on new mail server. This would allow others to check on and discuss potentially wrong entries. If you're interested you should send email to me privately. --- William Leibzon Elan Networks william@elan.net
Michael.Dillon@btradianz.com wrote:
One wonders whether it might not be more effective in the long run to sue ICANN/IANA rather than suing completewhois.com.
Of course, it could be that I used the wrong term. IANAL after all. Perhaps the right term was injunction? Does that qualify as a lawsuit? Unfortunately, people seem to think the legal system is strictly about money. Perhaps it is. However, in the process of people getting money, I've noticed people have solved their initial problem temporarily. besides, it didn't look like it really took all that much to solve the completewhois.com problem. Surely people don't pay their lawyers without first yelling, screaming, and calling everyone and their dog (or posting to NANOG) in the attempt to get what they want first. :) Jack
Hi,
or LDAP could be used ...
I was wondering when this would show up... :-)
If IANA and the RIRs would step up to the plate and provide an authoritative data source identifying which address ranges have been issued for use on the Internet then bogon lists would not be needed at all. ... IANA would be the authoritative source for stuff like RFC 1918 address ranges and other non-RIR ranges.
IANA has a project along these lines at the earliest stage of development (that is, we're trying to figure out if this is a good idea and if so, the best way to implement it). I'd be interested in hearing opinions (either publicly or privately) as to what IANA should do here.
One wonders whether it might not be more effective in the long run to sue ICANN/IANA rather than suing completewhois.com.
Sigh. What is the IOS command to disable lawyers again? Rgds, -drc
On Dec 14, 2006, at 4:50 PM, David Conrad wrote:
IANA has a project along these lines at the earliest stage of development (that is, we're trying to figure out if this is a good idea and if so, the best way to implement it). I'd be interested in hearing opinions (either publicly or privately) as to what IANA should do here.
Are IANA considering operating a BGP routeserver infrastructure? What about LDAP and other mechanisms? ----------------------------------------------------------------------- Roland Dobbins <rdobbins@cisco.com> // 408.527.6376 voice All battles are perpetual. -- Milton Friedman
On Mon, Dec 11, 2006 at 08:40:41AM -0600, Jack Bates wrote:
Allan Houston wrote:
This probably isn't helped much by sites like completewhois.com still showing these ranges as bogons..
http://www.completewhois.com/bogons/active_bogons.htm
They've ignored all my attempts to get them to update so far.. sigh..
They just need someone using the address space to slap them with a lawsuit.
Jack Bates
lawsuit? where does it say that someone MUST accept routes or listen to a self-appointed authority? --bill
On Mon, 11 Dec 2006, Allan Houston wrote:
Florian Lohoff wrote:
Hi *, in august IANA handed 77/8 78/8 79/8 to RIPE which started handing out those ranges 2 months ago.
We (Telefonica Deutschland AS6805) are seeing a lot of reachability problems most likely caused by not updated bogon filters.
For testing purposes 77.181.114.4 aka bogon.mediaways.net is up for icmp/http.
Please check and possibly update your filters.
Flo (aka flo@telefonica.de)
This probably isn't helped much by sites like completewhois.com still showing these ranges as bogons..
http://www.completewhois.com/bogons/active_bogons.htm
They've ignored all my attempts to get them to update so far.. sigh..
Completewhois email server is down right now and needs to be rebuilt. That's not to say that is a good excuse - I should have updated bogon list 3 months ago when allocation was made, but I missed it among many emails on this list and other lists; its fixed as of right now, so my apologies to those who received new allocations from 77/8 (apparently RIPE started allocating two weeks ago; a bit sooner after IANA allocation then before, but I guess they are out of available space on other blocks...). I also added daily emailing of active_bogons list to this and one other of my actively used email accounts which would make it easier to catch similar problems. -- William Leibzon Elan Networks william@elan.net
On Tue, 12 Dec 2006, Chris L. Morrow wrote:
On Mon, 11 Dec 2006, william(at)elan.net wrote:
Completewhois email server is down right now and needs to be rebuilt.
what no backup MX? now postmaster/abuse/root working emails at that domain? did you put the domain also on 'rfc ignorant'?
Mail store is not working, not mail service for domain and backups do exist. But as far as 'rfc ignorant' while it would probably not qualify, I'd have no problem with the listing as until mail server is fixed [that would be about one more week] no emails would be sent from the domain. I did put catchall on another server for email, but its just impossible to read with 4000 emails per day and 99.9..% of them being spam (including unfortunetly bots doing webform submission). BTW - I wanted to see how many people actually reported it (as it was mentioned here as being multiple attempts to contact), while I can't be 100% sure just from grep -P it looks like two people reported it on Dec 6th (one of them Allan) and that's about it; those who did report it will receive separate answers once email can be properly sorted. -- William Leibzon Elan Networks william@elan.net
Florian Lohoff wrote:
Hi *, in august IANA handed 77/8 78/8 79/8 to RIPE which started handing out those ranges 2 months ago.
We (Telefonica Deutschland AS6805) are seeing a lot of reachability problems most likely caused by not updated bogon filters.
For testing purposes 77.181.114.4 aka bogon.mediaways.net is up for icmp/http.
Please check and possibly update your filters.
Flo (aka flo@telefonica.de)
To facilitate "de-bogonising" the RIPE NCC advertises some of the prefixes from the newly allocated ranges from our RIS beacons. We do this for a few months before starting allocating them to LIRs. http://www.ris.ripe.net/debogon/debogon.html Andrei Robbachevsky RIPE NCC
participants (19)
-
Allan Houston
-
Andrei Robachevsky
-
bmanning@karoshi.com
-
Chris L. Morrow
-
David Conrad
-
David Schwartz
-
Donald Stahl
-
Florian Lohoff
-
Florian Weimer
-
Jack Bates
-
Jared Mauch
-
Jeroen Massar
-
Jon Lewis
-
Michael.Dillon@btradianz.com
-
Robert E. Seastrom
-
Roland Dobbins
-
Scott Morris
-
Stephen Satchell
-
william(at)elan.net