69.0.0.0/8 - Please update your filters
-----Original Message----- From: Chan, KaLun Sent: Thursday, February 20, 2003 4:18 PM To: Chan, KaLun; DL NOC Managers; DL NOC-IP Services Cc: Eisenhart, William; Minter, Daniel; DL Neteng-core-ip Subject: RE: [ARIN-20030123.943] 69.3.0.0/Covad - who had this block before? All, It has recently come to our attention that many Internet routers are still filtering out IP addresses in the 69.0.0.0/8 range. If YOU are still filtering this block in your router, please modify your filters accordingly. Thank You IANA IPv4 Allocation List - <http://www.iana.org/assignments/ipv4-address-space> Bogon List - <http://www.cymru.com/Documents/bogon-list.html> Secure IOS Template - <http://www.cymru.com/Documents/secure-ios-template.html> Secure BGP Template - <http://www.cymru.com/Documents/secure-bgp-template.html> Secure BIND Template - <http://www.cymru.com/Documents/secure-bind-template.html> Sincerely, Ka Lun Chan (KC) Security Operation Center COVAD Communication SOC#: 866-722-2602 Dir #: 408-434-4919 Fax #: 408-434-2191 Easy to do Business with
HV> Date: Tue, 25 Feb 2003 14:09:26 -0800 HV> From: "Hsu, Vicky" HV> It has recently come to our attention that many Internet HV> routers are still filtering out IP addresses in the HV> 69.0.0.0/8 range. If YOU are still filtering this block in Even after the NANOG thread months back? Yuck. I _still_ like the idea of putting DNS roots in new IP blocks during sunrise and having the final octet be .0 and/or .255. It would be nice to catch dated bogon filters, lame attempts at smurf stopping, _and_ stale root.cache in one blow. Eddy -- Brotsman & Dreger, Inc. - EverQuick Internet Division Bandwidth, consulting, e-commerce, hosting, and network building Phone: +1 (785) 865-5885 Lawrence and [inter]national Phone: +1 (316) 794-8922 Wichita ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Date: Mon, 21 May 2001 11:23:58 +0000 (GMT) From: A Trap <blacklist@brics.com> To: blacklist@brics.com Subject: Please ignore this portion of my mail signature. These last few lines are a trap for address-harvesting spambots. Do NOT send mail to <blacklist@brics.com>, or you are likely to be blocked.
Thus spake "E.B. Dreger" <eddy+public+spam@noc.everquick.net>
I _still_ like the idea of putting DNS roots in new IP blocks during sunrise and having the final octet be .0 and/or .255. It would be nice to catch dated bogon filters, lame attempts at smurf stopping, _and_ stale root.cache in one blow.
From an academic standpoint, that would be a very interesting experiment. However, most of us are paid to keep our networks or services running, not to intentionally break them. S Stephen Sprunk "God does not play dice." --Albert Einstein CCIE #3723 "God is an inveterate gambler, and He throws the K5SSS dice at every possible opportunity." --Stephen Hawking
On Tue, 25 Feb 2003, Stephen Sprunk wrote:
Thus spake "E.B. Dreger" <eddy+public+spam@noc.everquick.net>
I _still_ like the idea of putting DNS roots in new IP blocks during sunrise and having the final octet be .0 and/or .255. It would be nice to catch dated bogon filters, lame attempts at smurf stopping, _and_ stale root.cache in one blow.
From an academic standpoint, that would be a very interesting experiment. However, most of us are paid to keep our networks or services running, not to intentionally break them.
The trouble is, some people are neglecting their jobs and making things rough for others (the people getting new allocations). Somebody with one of these new cursed allocations ought to setup a system with two IPs (one from the new block, one from an older established block) and do reachability tests to various parts of the net, and then automate sending a notice of bogus filters to those ASNs reachable from the old IP, but not from the new one. If I end up with some of this space, I'll be doing this. ---------------------------------------------------------------------- Jon Lewis *jlewis@lewis.org*| I route System Administrator | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
Somebody with one of these new cursed allocations ought to setup a system with two IPs (one from the new block, one from an older established block) and do reachability tests to various parts of the net, and then automate sending a notice of bogus filters to those ASNs reachable from the old IP, but not from the new one.
And how quickly would those ASN's respond to or even comprehend the bogon-filter update notices? If those ASN's are competent and quick-responsive ones, we should not even be having these prroblems to begin with. -hc
If I end up with some of this space, I'll be doing this.
---------------------------------------------------------------------- Jon Lewis *jlewis@lewis.org*| I route System Administrator | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
On Tue, 25 Feb 2003, Haesu wrote:
And how quickly would those ASN's respond to or even comprehend the bogon-filter update notices? If those ASN's are competent and quick-responsive ones, we should not even be having these prroblems to begin with.
If the alternative is getting space, giving it to customers, and explaining why they can't reach X, Y, and Z on their connection to us, but they can on other internet connections, we're going to at least have to try. I like the idea of moving the gtld servers into such space. That way, the networks that are at fault will break, and they'll be well motivated to fix their filters. ---------------------------------------------------------------------- Jon Lewis *jlewis@lewis.org*| I route System Administrator | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
If the alternative is getting space, giving it to customers, and explaining why they can't reach X, Y, and Z on their connection to us, but they can on other internet connections, we're going to at least have to try.
True, but we'd have to try something that would be effective... Imagine how many of those incompetent ASN's still have _outdated_ technical contact email and phone numbers..
I like the idea of moving the gtld servers into such space. That way, the networks that are at fault will break, and they'll be well motivated to fix their filters.
I think this is the way to go. It will break the ASN's who do not properly have updated filters. The only thing to be careful is a type of consequence where some of _your_ customers may attempt to get to one of the broken ASN's. DNS issue at the broken ASN's may cause few minor-to-medium oddities that may cause more phone calls on your end. -hc
---------------------------------------------------------------------- Jon Lewis *jlewis@lewis.org*| I route System Administrator | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
SS> Date: Tue, 25 Feb 2003 19:46:53 -0600 SS> From: Stephen Sprunk (Props to whoever thought up what you put in the "To" field) SS> From an academic standpoint, that would be a very interesting SS> experiment. However, most of us are paid to keep our SS> networks or services running, not to intentionally break SS> them. I see. So you advocate innocent 69/8 users suffering because you don't want to cause pain for the lazy and inept? I'd rather see the latter paying for their sins, not innocent third parties. Note that my suggestions (credit to Jeff Wheeler for suggesting roots in new IP allocations) would break NOTHING on a properly- maintained network. Let's put it this way: 69/8 evidently is still being filtered by some, despite pleading and time. Things _will_ break. This won't be the last time we encounter new allocations, either. _Someone_ will feel pain. Who do you feel should bear the brunt? How do you propose to make it happen? Eddy -- Brotsman & Dreger, Inc. - EverQuick Internet Division Bandwidth, consulting, e-commerce, hosting, and network building Phone: +1 (785) 865-5885 Lawrence and [inter]national Phone: +1 (316) 794-8922 Wichita ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Date: Mon, 21 May 2001 11:23:58 +0000 (GMT) From: A Trap <blacklist@brics.com> To: blacklist@brics.com Subject: Please ignore this portion of my mail signature. These last few lines are a trap for address-harvesting spambots. Do NOT send mail to <blacklist@brics.com>, or you are likely to be blocked.
From: "E.B. Dreger"
Even after the NANOG thread months back? Yuck.
Yes. This last weekend, the state network added a Bogon list to their routers. Too bad the list they chose still had 69/8 in it. Not that I mind. The complaint came from a customer who's multi-homed between us. I like it when the competition makes foolish mistakes. Outside of that instance, I get about 1 report every week or two of some small business out there who's firewall was setup for them years ago, and they had no clue what it was doing. I can forgive these guys, and it's usually not too big of a problem. Then again, I'm glad I didn't get the first blocks.
I _still_ like the idea of putting DNS roots in new IP blocks during sunrise and having the final octet be .0 and/or .255. It would be nice to catch dated bogon filters, lame attempts at smurf stopping, _and_ stale root.cache in one blow.
I would agree with this, except that it would kill most of the people I've contacted. Most of the people who are still filtering aren't even aware of it. If we broke them, they'd have hell trying to fix it. I get a lot of "uhhhhh. bogon? huh?". Large networks don't have an excuse, but I pity the small mom and pop shop that hardly even understand what a firewall is. -Jack BrightNet Oklahoma
participants (6)
-
E.B. Dreger -
Haesu -
Hsu, Vicky -
Jack Bates -
jlewis@lewis.org -
Stephen Sprunk