10/8 gets announced at least once a day by someone somewhere. Really. So what else is new? Smart providers explicitly filter RFC-1918 address space. ;-) - paul At 07:31 PM 7/10/96 -0500, Kai wrote:
Hmm, is this just me , or...
traceroute to 10.1.1.1 (10.1.1.1), 30 hops max, 40 byte packets 1 bigmac.netaxis.com (198.69.103.23) 214 ms 155 ms 209 ms 2 aries.netaxis.com (198.69.103.1) 217 ms 155 ms 149 ms 3 sl-dc-11-S1/2-T1.sprintlink.net (144.228.121.93) 187 ms 171 ms 159 ms 4 sl-dc-6-F0/0.sprintlink.net (144.228.20.6) 307 ms 282 ms 289 ms 5 sl-pen-1-H2/0-T3.sprintlink.net (144.228.10.34) 167 ms 241 ms 179 ms 6 icm-pen-2-F1/0.icp.net (144.228.60.101) 167 ms 241 ms 169 ms 7 icm-pen-1-F0/0.icp.net (192.157.69.30) 1007 ms 171 ms 199 ms 8 icm-dc-2-H0/0-T3.icp.net (198.67.131.17) 177 ms 184 ms 259 ms 9 icm-dc-1-F0/0.icp.net (198.67.131.36) 176 ms 183 ms 179 ms 10 icm-ecrc-1-S0-1984k.icp.net (198.67.129.18) 287 ms 284 ms 279 ms 11 ECRC-RBS.ECRC.DE (193.23.5.97) 357 ms 267 ms 279 ms 12 Munich-EBS.EBONE.NET (194.112.80.218) 277 ms * 290 ms 13 ECRC-RBS.ECRC.DE (193.23.5.97) 406 ms 377 ms 379 ms 14 Munich-EBS.EBONE.NET (194.112.80.218) 337 ms 366 ms 319 ms
"If we don't have enough IP space, we'll just make more..."
bye,Kai ps: someone with access to a serious router show us this route, please...
10/8 gets announced at least once a day by someone somewhere. Really.
So what else is new? Smart providers explicitly filter RFC-1918 address space. ;-)
In response to an appearance in May of some 192.168/16 prefixes, Paul Vixie sent this to the NANOG list. I wrote up a gated analogue for Digital's border routers; if anyone wants one, send me mail.
Message-Id: <9605230534.AA26573@wisdom.home.vix.com> To: nanog@merit.edu Subject: Re: RFC 1597 Date: Wed, 22 May 1996 22:34:17 -0700 From: Paul A Vixie <paul@vix.com>
*> 192.168.22.0 144.228.71.5 0 1239 1800 1804 1128 1955 3337 ? *> 192.168.100.0/22 144.228.71.5 0 1239 1794 ? *> 192.168.216.0 144.228.71.5 0 1239 1800 1755 1273 ?
Shame on you 3337, 1794 and 1273.
Indeed. Since it's not my turn to be at fault for this kind of thing tonight, I guess I'll chime in with a copy of some useful goodies that Andrew Partan bestowed upon me last time CIX was caught advertising something bad:
router bgp xxxx neighbor y.y.y.y remote-as zzzz neighbor y.y.y.y distribute-list 100 in neighbor y.y.y.y distribute-list 101 out
access-list 100 deny ip host 0.0.0.0 any access-list 100 deny ip 127.0.0.0 0.255.255.255 255.0.0.0 0.255.255.255 access-list 100 deny ip 10.0.0.0 0.255.255.255 255.0.0.0 0.255.255.255 access-list 100 deny ip 172.16.0.0 0.15.255.255 255.240.0.0 0.15.255.255 access-list 100 deny ip 192.168.0.0 0.0.255.255 255.255.0.0 0.0.255.255 access-list 100 deny ip 192.0.2.0 0.0.0.255 255.255.255.0 0.0.0.255 access-list 100 deny ip 128.0.0.0 0.0.255.255 255.255.0.0 0.0.255.255 access-list 100 deny ip 191.255.0.0 0.0.255.255 255.255.0.0 0.0.255.255 access-list 100 deny ip 192.0.0.0 0.0.0.255 255.255.255.0 0.0.0.255 access-list 100 deny ip 223.255.255.0 0.0.0.255 255.255.255.0 0.0.0.255 access-list 100 deny ip 224.0.0.0 31.255.255.255 224.0.0.0 31.255.255.255 access-list 100 deny ip any 255.255.255.128 0.0.0.127 access-list 100 permit ip any any
access-list 101 deny ip host 0.0.0.0 any access-list 101 deny ip 127.0.0.0 0.255.255.255 255.0.0.0 0.255.255.255 access-list 101 deny ip 10.0.0.0 0.255.255.255 255.0.0.0 0.255.255.255 access-list 101 deny ip 172.16.0.0 0.15.255.255 255.240.0.0 0.15.255.255 access-list 101 deny ip 192.168.0.0 0.0.255.255 255.255.0.0 0.0.255.255 access-list 101 deny ip 192.0.2.0 0.0.0.255 255.255.255.0 0.0.0.255 access-list 101 deny ip 128.0.0.0 0.0.255.255 255.255.0.0 0.0.255.255 access-list 101 deny ip 191.255.0.0 0.0.255.255 255.255.0.0 0.0.255.255 access-list 101 deny ip 192.0.0.0 0.0.0.255 255.255.255.0 0.0.0.255 access-list 101 deny ip 223.255.255.0 0.0.0.255 255.255.255.0 0.0.0.255 access-list 101 deny ip 224.0.0.0 31.255.255.255 224.0.0.0 31.255.255.255 access-list 101 deny ip any 255.255.255.128 0.0.0.127 access-list 101 permit ip any any
These are currently identical, but they're split into separate access-list's in case the sending restrictions and the receiving restrictions ever have cause to differ.
Note that everybody who's anybody uses peer groups rather than duplicating this for every peer, but I'm the wrong person to try to explain peer groups so the above was intentionally kept at my "grunt, poke, listen" level.
Stephen - ----- Stephen Stuart stuart@pa.dec.com Network Systems Laboratory Digital Equipment Corporation
participants (2)
-
Paul Ferguson
-
Stephen Stuart