Do you really think that people who don't have enough clue to update their filters are going to be able to figure out why they can't reach content in 69/8? Moving all root-servers WOULD fix the problem. Although I doubt anyone is really going to be willing to make the news by causing that much of an outage. What we can REALISTICALLY accomplish is to lean on the people who publish books/web pages/templates/etc. to include big scary warnings about using bogon filters and outline WHY they should be careful. I bet for example we could get Rob Thomas to update his templates to include scarier warnings like don't do this unless you intend to keep current on new allocations if you don't know what that means skip this section (I noticed there is something in the IOS template that says be "VERY" careful). The warnings should be explicit, and scream don't do this unless you understand it. Personally I have always thought overzealous bogon filtering can be dangerous in the wrong hands and thus avoided it. I don't even trust myself to keep current let alone someone who may pick up a generic firewall book off the shelf and then think they are an expert. -----Original Message----- From: Kevin Loch [mailto:kloch@gurunet.net] Sent: Monday, March 10, 2003 4:22 PM To: nanog@merit.edu Subject: Re: 69/8...this sucks Stephen J. Wilcox wrote:
I repeat my suggestion that a number of DNS root-servers or
be renumbered into 69/8 space. If the DNS "breaks" for these neglected networks, I suspect they will quickly get enough clue to fix their ACLs.
Nice idea in principal (from a purist point of view) but its not
gtld-servers practical, I
hope your not serious..!
How about making *temporary* allocations to content providers who vounteer to move some/all content to net-69? Use an initial page on your regular net to alert users to "contact their ISP and have them fix their bogon filter if the below link doesn't work." If done right, it might speed up the clean-up. The only problem would be finding volunteers with sufficient traffic who are willing to break their site. I could do this on some of my sites. They're not Ebay, but they do get hit from about 40K unique IP's per day, with a very global distribution. If ARIN is interested, contact me privately. KL
FS> Date: Mon, 10 Mar 2003 17:41:56 -0500 FS> From: Frank Scalzo FS> What we can REALISTICALLY accomplish is to lean on the people FS> who publish books/web pages/templates/etc. to include big FS> scary warnings about using bogon filters and outline WHY they And all the existing books, webpages, and "set-and-forget" configs... Eddy -- Brotsman & Dreger, Inc. - EverQuick Internet Division Bandwidth, consulting, e-commerce, hosting, and network building Phone: +1 (785) 865-5885 Lawrence and [inter]national Phone: +1 (316) 794-8922 Wichita ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Date: Mon, 21 May 2001 11:23:58 +0000 (GMT) From: A Trap <blacklist@brics.com> To: blacklist@brics.com Subject: Please ignore this portion of my mail signature. These last few lines are a trap for address-harvesting spambots. Do NOT send mail to <blacklist@brics.com>, or you are likely to be blocked.
Hi, NANOGers. ] I bet for example we could get Rob Thomas to update his templates to ] include scarier warnings... For the right amount of coffee, I just might. ;) Seriously, I'm all for it. Here is what I have on the Bogon List page: NOTE WELL! IANA allocations change over time, so please check back regularly to ensure you have the latest filters. I do announce updates to my templates in the FIRST community, as well as on lists such as NANOG, isp-routing, isp-security, isp-bgp, and cisco-nsp. I can not stress this point strongly enough - these allocations change, as often as every four months. If you do not adjust your filters, you will be unable to access perhaps large portions of the Internet. You have been warned! I don't know how much it helps, but it's there. I don't mind including it in all of the templates, monitoring, and bogon data feeds. Thanks, Rob. -- Rob Thomas http://www.cymru.com ASSERT(coffee != empty);
FS> Date: Mon, 10 Mar 2003 17:41:56 -0500 FS> From: Frank Scalzo FS> Moving all root-servers WOULD fix the problem. Although I FS> doubt anyone is really going to be willing to make the news FS> by causing that much of an outage. I'm eager to see stats indicating how large the problem is. If the problem is this severe, it seems all the more wrong to let innocent third parties suffer due to what IP space was bestowed upon them. If the roots and gTLDs are truly unwilling to help, and a handful of entities can't cooperate, I have serious concerns why they have been handed responsibility for such a critical piece of infrastructure. I'd expect "it's too hard to be a good netizen" whining on other lists... but NANOG? Roots and TLDs? Perhaps this is an omen of the Internet yet to come. Oh joy. Eddy -- Brotsman & Dreger, Inc. - EverQuick Internet Division Bandwidth, consulting, e-commerce, hosting, and network building Phone: +1 (785) 865-5885 Lawrence and [inter]national Phone: +1 (316) 794-8922 Wichita ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Date: Mon, 21 May 2001 11:23:58 +0000 (GMT) From: A Trap <blacklist@brics.com> To: blacklist@brics.com Subject: Please ignore this portion of my mail signature. These last few lines are a trap for address-harvesting spambots. Do NOT send mail to <blacklist@brics.com>, or you are likely to be blocked.
Thus spake "E.B. Dreger" <eddy+public+spam@noc.everquick.net>
If the roots and gTLDs are truly unwilling to help, and a handful of entities can't cooperate, I have serious concerns why they have been handed responsibility for such a critical piece of infrastructure. I'd expect "it's too hard to be a good netizen" whining on other lists... but NANOG? Roots and TLDs?
Perhaps this is an omen of the Internet yet to come. Oh joy.
Come on, you're asking the root and/or TLD operators to renumber their servers -- not a trivial task -- every few months to intentionally disable their own service for what amounts to an academic experience. These folks are in the business of running a critical system that requires 100% uptime for hundreds of millions of users, and they do a damned good job. Let them do it in peace, and find some other "must have" service (like porn) to put in 69/8. S Stephen Sprunk "God does not play dice." --Albert Einstein CCIE #3723 "God is an inveterate gambler, and He throws the K5SSS dice at every possible opportunity." --Stephen Hawking
On Tue, 11 Mar 2003, Stephen Sprunk wrote:
Come on, you're asking the root and/or TLD operators to renumber their servers -- not a trivial task -- every few months to intentionally disable their own service for what amounts to an academic experience.
Not for academic experience, but to encourage people to fix their broken filters. And while renumbering a large network might be non-trivial, changing the IP or adding an IP alias on 13 individual servers should be a trivial operation.
These folks are in the business of running a critical system that requires 100% uptime for hundreds of millions of users, and they do a damned good job. Let them do it in peace, and find some other "must have" service (like porn) to put in 69/8.
100% uptime for the service, not for each individual server. So now the 69/8 holders, in addition to driving a campaign to get others to fix their networks, should offer free hosting to porn sites? How about free hosting for spamvertized sites?...oh wait, that might make the problem worse :) ---------------------------------------------------------------------- Jon Lewis *jlewis@lewis.org*| I route System Administrator | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
This discussion falls into a pattern we've seen before: 1) Operators doing the right thing experience a problem created by operators doing the wrong thing. 2) It is not possible to isolate the pain to only the operators doing the wrong thing. 3) The only way to solve the problem is to raise the level of pain across the board so as to force those ultimately causeing the pain to self-marginalize. 4) No one is willing to accept any pain they don't absolutely _have_ to even if it would save them pain in the future 5) Therefore the islands of pain remain indefinately, but as long as I'm not affected, I don't care. The above can be applied to: 1) filtering of 69/8 2) excessive deaggregation of routes 3) RPF 4) Use of RFC1918 in ways which violate RFC1918 (packets crossing enterprise boundaries) 5) Actually using .0 and .255 for networks with masks which allow this. 6) IPv6 7) Multicast 8) etc To bring back around to the issue of 69/8, yes, the only way to solve the problem is to bring a set of "important" things into that network. No one who controls any "important" thing would actually do such a thing. So those folks in 69/8 will likely go out of business, or find ways around their problem which will likely involve other "bad operator" activity, continuing to advance our problems indefinately and in new and interesting ways.
participants (6)
-
bdragon@gweep.net -
E.B. Dreger -
Frank Scalzo -
jlewis@lewis.org -
Rob Thomas -
Stephen Sprunk