Nanog: Below is a draft of a letter that we will be sending to clients who experience 69.0.0.0/8 connectivity problems. I am making it available to help those ISPs that are confronted by clients with connectivity issues due to assigning them 69.0.0.0/8 addresses. It can be adapted to suit an ISP's specific needs. I welcome commments and advice. (I know I'm gonna hate myself for saying that around here ;^) Matt __________________________ http://www.invision.net/ _______________________ Matthew E. Martini, PE InVision.com, Inc. (631) 543-1000 x104 Chief Technology Officer matt@invision.net (631) 864-8896 Fax _______________________________________________________________________pgp_ _______________________________________________________________________ NOTICE REGUARDING NETWORK REACHABLITY _______________________________________________________________________ Dear Customer: This document discusses problems connecting to/from your site over the Internet due to outdated filtering by your ISP or IT Department. It will give a high level explanation of the problem and offer a solution. It will then discuss the issue in detail at a technical level sufficient for network administrators to fix the problem. <ISP_NAME>'s Customer Service will work with you to help your ISP/IT Department resolve these issues. You can contact us at tech-support@<ISP.COM> or (555) 555-5555 x555. <YOUR_NAME> <YOUR_TITLE> <ISP_NAME> Problem Description ___________________ Certain computers cannot reach and/or be reached by other computers on the Internet. Symptoms of this would be the inability to go to certain web sites, or the inability to send/receive email from certain sites. The cause of this is outdated IP filters on routers and/or firewalls. These filters are put into place by network administrators to prevent malicious use of unallocated IP addresses. However, the list of allocated addresses changes over time and so the filters must be updated to avoid blocking legitimate, albeit newly valid IP addresses. Every few months a new block of IP addresses are released by the IP registries to ISPs and then in turn to end users. The IP block 69.0.0.0/8 was allocated to ARIN as a usable block in August 2002. Before this time these addresses were unallocated and invalid for use on the Internet. Network administrators before this time may have filtered this block of IPs, along with all of the other unallocated blocks, in their routers and firewalls. If these filters were not updated since August 2002, they would improperly filter traffic to and from these addresses and thus cause the connectivity problems you are experiencing. Recommended Solution ____________________ The solution is rather a simple one. All that has to be done is to update these router and firewall filters to allow the 69.0.0.0/8 block of addresses. This is usually a matter of a fairly simple configuration change that can be accomplished by your Network Administrators, IT Department, or ISP. Finding the correct person to implement these changes can be somewhat more challenging than the problem itself. <ISP> Customer Service can help you track down the place where the filtering is taking place. It may be taking place at your ISP's boundary, or a corporate firewall. Once the place is identified you can then have the responsible party make the changes. Once again <ISP> will be there to explain the technical details of this issue. Please let us know if we can assist in any way to help you fix this problem. Action Items for Network Administrators and ISPs _______________________________________________ Please update your BGP ingress filters and firewall rules to allow 69.0.0.0/8 routes and traffic as these addresses became valid IPs allocated by ARIN in August 2002. Please contact tech-support@<ISP.COM> for assistance. Detailed Explanation ____________________ The Internet Assigned Numbers Authority (IANA) allocates Internet Protocol version 4 (IPv4) address space to Registries including ARIN, RIPE, and APNIC. These registries in turn allocate address space to ISPs who in-turn allocate addresses for end-users. This is documented in RFC 1466. See: http://www.iana.org/assignments/ipv4-address-space All of the addresses that are not allocated by the above process should never appear in the Internet routing table. These unallocated addresses are dubbed "Bogons". A packet routed over the public Internet should never have a source address in a bogon range. These are commonly found as the source addresses of DDoS attacks. As such a network administrator may filter these IP addresses from their routing tables and block them from entering their network via firewall rules. This behavior is actually encouraged because it helps to limit Denial of Service attacks. However, these filters must be kept up to date to avoid filtering newly released and valid IPs. The IANA allocations change fairly often, sometimes in as little as every four months. Administrators who elect to engage in strict filtering must be prepared to follow the IANA allocation changes and update their filters regularly. Mailing lists such as NANOG, isp-bgp, isp-routing as well as http://www.cymru.com/Bogons are good places to look for announcements of changes. http://www.cymru.com/Bogons is also an excellent reference which explains bogon filters, shows how to find the latest lists, and educates network administrators on how to subscribe to appropriate announcement lists to become aware of updates/changes in what IPs can be safely filtered. Here is a brief look at the more recent changes: Address Block Date Registry - Purpose Notes or Reference ----- ------ --------------------------- ------------------ 063/8 Apr 97 ARIN (whois.arin.net) 064/8 Jul 99 ARIN (whois.arin.net) 065/8 Jul 00 ARIN (whois.arin.net) 066/8 Jul 00 ARIN (whois.arin.net) 067/8 May 01 ARIN (whois.arin.net) 068/8 Jun 01 ARIN (whois.arin.net) 069/8 Aug 02 ARIN (whois.arin.net) 080/8 Apr 01 RIPE NCC (whois.ripe.net) 081/8 Apr 01 RIPE NCC (whois.ripe.net) 082/8 Nov 02 RIPE NCC (whois.ripe.net) 220/8 Dec 01 APNIC (whois.apnic.net) 221/8 Jul 02 APNIC (whois.apnic.net) 222/8 Feb 03 APNIC (whois.apnic.net) 223/8 Feb 03 APNIC (whois.apnic.net) Those administrators who feel that maintaining their filters regularly is too difficult, or those organizations who don't have an IT department can setup filtering for just DUSA addresses. These are routes that should NOT be routed on the Internet. They include RFC 1918, "Martian" networks, 127.0.0.0/8, and multicast blocks. These are fully detailed in Bill Mannin's document: ftp://ftp.ietf.org/internet-drafts/draft-manning-dsua-08.txt Along with filtering your own IPs from ingress and allowing only your assigned IPs at egress this filtering set is the minimum that all ISPs and corporations should use. It has the benefit that it is fairly static and requires much less maintenance. Again, please contact tech-support@<ISP.COM> for assistance in updating your filters.
participants (1)
-
Matt Martini