Atlantic.Net has just joined the 69/8 club of ARIN members with assignments in this IP block that's apparently in numerous outdated bogon filters. As I posted I'd do earlier if given space from this block, I've written some code to check reachability to a large number of remote IPs from 2 source IPs...one in one of our older ARIN blocks, one in the new 69 block. I'm feeding this code a very large list of known mail server IPs, and having it ping each IP...only it'll ignore /24's once reachability from both the old and new IPs has been established to an IP in that /24. It's only just getting started on the list, but I've already found dozens of networks that appear to be problems. I've hand confirmed a couple and sent off emails to the ARIN contacts. It looks like there are going to be so many networks to notify, I'll have to write some more code to automate these emails. What have others in this situation done? Are you actually assigning 69/8 IP's to unsuspecting customers and hoping they won't notice parts of the internet ignoring them? According to ARIN's whois server, there are 95 subdelegations for NET-69-0-0-0-0...we're the 95th. I don't know if ARIN has other "less tainted" IP space to give out, but something ought to be said/asked about this at the next meeting. I realize ARIN can't guarantee global routability of IP space, but should they continue to give out IP blocks they absolutely know are not fully routable on the internet today? ---------------------------------------------------------------------- Jon Lewis *jlewis@lewis.org*| I route System Administrator | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
My proposal to help with it is: http://www.arin.net/policy/2003_7.html Language isn't the best of my skills by you get an idea anyway. And if you're coming to Memphis, feel free to say something there on this topic. On Fri, 7 Mar 2003 jlewis@lewis.org wrote:
Atlantic.Net has just joined the 69/8 club of ARIN members with assignments in this IP block that's apparently in numerous outdated bogon filters. As I posted I'd do earlier if given space from this block, I've written some code to check reachability to a large number of remote IPs from 2 source IPs...one in one of our older ARIN blocks, one in the new 69 block.
I'm feeding this code a very large list of known mail server IPs, and having it ping each IP...only it'll ignore /24's once reachability from both the old and new IPs has been established to an IP in that /24.
It's only just getting started on the list, but I've already found dozens of networks that appear to be problems. I've hand confirmed a couple and sent off emails to the ARIN contacts. It looks like there are going to be so many networks to notify, I'll have to write some more code to automate these emails.
What have others in this situation done?
Are you actually assigning 69/8 IP's to unsuspecting customers and hoping they won't notice parts of the internet ignoring them?
According to ARIN's whois server, there are 95 subdelegations for NET-69-0-0-0-0...we're the 95th.
I don't know if ARIN has other "less tainted" IP space to give out, but something ought to be said/asked about this at the next meeting. I realize ARIN can't guarantee global routability of IP space, but should they continue to give out IP blocks they absolutely know are not fully routable on the internet today?
---------------------------------------------------------------------- Jon Lewis *jlewis@lewis.org*| I route System Administrator | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
Atlantic.Net has just joined the 69/8 club of ARIN members with assignments in this IP block that's apparently in numerous outdated bogon filters. As I posted I'd do earlier if given space from this block, I've written some code to check reachability to a large number of remote IPs from 2 source IPs...one in one of our older ARIN blocks, one in the new 69 block.
Welcome. I'm glad to see you on board. Perhaps some of these issues will get resolved for us smaller /18 assignments.
What have others in this situation done?
Are you actually assigning 69/8 IP's to unsuspecting customers and hoping they won't notice parts of the internet ignoring them?
Oh, the customers notice them, and each report is handled as brought to our attention. It's a large net, so we haven't bothered with probing at this junction. I get about 1-3 reports a month from my customers that are due to filters. A few of the lists themselves are out of date, evidenced by networks that were previously working suddenly breaking by applying a new BOGON list. Most cases are smaller networks that are often unaware that they run such filtering. Some don't even know what it is. I didn't have a choice on giving the space to customers. My old IP addresses were being recalled and I get what ARIN gives me. In another month 60%+ of my network will be within the 69/8 and I'll have to request more space which will most likely be from the same block (the last I checked, my /18 could expand to a /17). As far as I'm concerned, the quicker the space is assigned and utilized, the more people we'll have spotting and contacting networks that have bad filters.
I don't know if ARIN has other "less tainted" IP space to give out, but something ought to be said/asked about this at the next meeting. I realize ARIN can't guarantee global routability of IP space, but should they continue to give out IP blocks they absolutely know are not fully routable on the internet today?
In defense of ARIN, the ice on a net block has to be broken at some point. They could wait 3 years and notify every list every hour of every day for those 3 years and there would still be many networks filtering those networks. The only way to catch it is to notice the block and make contact with the network. In many cases, personal contact is necessary as emails are often misunderstood or ignored. Jack Bates BrightNet Oklahoma
On Fri, 2003-03-07 at 23:15, Jack Bates wrote:
In defense of ARIN, the ice on a net block has to be broken at some point. They could wait 3 years and notify every list every hour of every day for those 3 years and there would still be many networks filtering those networks. The only way to catch it is to notice the block and make contact with the network. In many cases, personal contact is necessary as emails are often misunderstood or ignored. I repeat my suggestion that a number of DNS root-servers or gtld-servers be renumbered into 69/8 space. If the DNS "breaks" for these neglected networks, I suspect they will quickly get enough clue to fix their ACLs.
Add Eddy's suggestion that the addresses all end in .0 or .255 and you have a fine machine for cleaning up a few old, irritating problems. -- Jeff S Wheeler <jsw@five-elements.com>
On 10 Mar 2003, Jeff S Wheeler wrote:
On Fri, 2003-03-07 at 23:15, Jack Bates wrote:
In defense of ARIN, the ice on a net block has to be broken at some point. They could wait 3 years and notify every list every hour of every day for those 3 years and there would still be many networks filtering those networks. The only way to catch it is to notice the block and make contact with the network. In many cases, personal contact is necessary as emails are often misunderstood or ignored.
I repeat my suggestion that a number of DNS root-servers or gtld-servers be renumbered into 69/8 space. If the DNS "breaks" for these neglected networks, I suspect they will quickly get enough clue to fix their ACLs.
Add Eddy's suggestion that the addresses all end in .0 or .255 and you have a fine machine for cleaning up a few old, irritating problems.
Nice idea in principal (from a purist point of view) but its not practical, I hope your not serious..! Steve
SJW> Date: Mon, 10 Mar 2003 20:35:51 +0000 (GMT) SJW> From: Stephen J. Wilcox SJW> Nice idea in principal (from a purist point of view) but its No? SJW> not practical, I hope your not serious..! I am. Eddy -- Brotsman & Dreger, Inc. - EverQuick Internet Division Bandwidth, consulting, e-commerce, hosting, and network building Phone: +1 (785) 865-5885 Lawrence and [inter]national Phone: +1 (316) 794-8922 Wichita ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Date: Mon, 21 May 2001 11:23:58 +0000 (GMT) From: A Trap <blacklist@brics.com> To: blacklist@brics.com Subject: Please ignore this portion of my mail signature. These last few lines are a trap for address-harvesting spambots. Do NOT send mail to <blacklist@brics.com>, or you are likely to be blocked.
Stephen J. Wilcox wrote:
I repeat my suggestion that a number of DNS root-servers or gtld-servers be renumbered into 69/8 space. If the DNS "breaks" for these neglected networks, I suspect they will quickly get enough clue to fix their ACLs.
Nice idea in principal (from a purist point of view) but its not practical, I hope your not serious..!
How about making *temporary* allocations to content providers who vounteer to move some/all content to net-69? Use an initial page on your regular net to alert users to "contact their ISP and have them fix their bogon filter if the below link doesn't work." If done right, it might speed up the clean-up. The only problem would be finding volunteers with sufficient traffic who are willing to break their site. I could do this on some of my sites. They're not Ebay, but they do get hit from about 40K unique IP's per day, with a very global distribution. If ARIN is interested, contact me privately. KL
On 10 Mar 2003, Jeff S Wheeler wrote:
I repeat my suggestion that a number of DNS root-servers or gtld-servers be renumbered into 69/8 space. If the DNS "breaks" for these neglected networks, I suspect they will quickly get enough clue to fix their ACLs.
Moving a number of them won't do anything. Broken networks would just use the ones they can reach. Moving the root-servers isn't a good option anyway since lots of Bind setups are distributed with a . hints file containing A records for the root-servers, and these hints files are updated probably less frequently than bogon filters. Since the root-servers have been reduced to refering queries to the gtld-servers and nstld servers and perhaps others, these latter servers would be the ones to move that would cause no pain for networks that work, and immediate notification and motivation to fix filters for networks with outdated filters. I don't suppose there's even a slim chance of this happening? ---------------------------------------------------------------------- Jon Lewis *jlewis@lewis.org*| I route System Administrator | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
JSW> Date: 10 Mar 2003 15:23:52 -0500 JSW> From: Jeff S Wheeler JSW> I repeat my suggestion that a number of DNS root-servers or JSW> gtld-servers be renumbered into 69/8 space. If the DNS JSW> "breaks" for these neglected networks, I suspect they will JSW> quickly get enough clue to fix their ACLs. JSW> JSW> Add Eddy's suggestion that the addresses all end in .0 or JSW> .255 and you have a fine machine for cleaning up a few old, JSW> irritating problems. I suggest a rotation like so: Jan-Apr: 69.w.w.0 Apr-Jul: 69.x.x.255 Jul-Oct: 70.y.y.0 Oct-Jan: 70.z.z.255 where the middle two octets are predetermined ahead of time. IIRC, some RFC recommends updating the root zone cache monthly... following this would ensure one had proper root/gTLD addresses. The above also would break DNS for broken networks for a two month stretch... long enough to flush out bad rules. Eddy -- Brotsman & Dreger, Inc. - EverQuick Internet Division Bandwidth, consulting, e-commerce, hosting, and network building Phone: +1 (785) 865-5885 Lawrence and [inter]national Phone: +1 (316) 794-8922 Wichita ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Date: Mon, 21 May 2001 11:23:58 +0000 (GMT) From: A Trap <blacklist@brics.com> To: blacklist@brics.com Subject: Please ignore this portion of my mail signature. These last few lines are a trap for address-harvesting spambots. Do NOT send mail to <blacklist@brics.com>, or you are likely to be blocked.
On Mon, Mar 10, 2003 at 08:49:04PM +0000, E.B. Dreger wrote:
JSW> Date: 10 Mar 2003 15:23:52 -0500 JSW> From: Jeff S Wheeler
JSW> I repeat my suggestion that a number of DNS root-servers or JSW> gtld-servers be renumbered into 69/8 space. If the DNS JSW> "breaks" for these neglected networks, I suspect they will JSW> quickly get enough clue to fix their ACLs. JSW> JSW> Add Eddy's suggestion that the addresses all end in .0 or JSW> .255 and you have a fine machine for cleaning up a few old, JSW> irritating problems.
I suggest a rotation like so:
Jan-Apr: 69.w.w.0 Apr-Jul: 69.x.x.255 Jul-Oct: 70.y.y.0 Oct-Jan: 70.z.z.255
where the middle two octets are predetermined ahead of time.
IIRC, some RFC recommends updating the root zone cache monthly... following this would ensure one had proper root/gTLD addresses.
The above also would break DNS for broken networks for a two month stretch... long enough to flush out bad rules.
You want to move things like gtld servers, yahoo/google (and other 'important' things), including things like oscar.toc.aol.com into these. This will leave the clueless to buy a clue and stimulate the economy ;-) - jared -- Jared Mauch | pgp key available via finger from jared@puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine.
On Mon, 10 Mar 2003, Jared Mauch wrote:
You want to move things like gtld servers, yahoo/google (and other 'important' things), including things like oscar.toc.aol.com into these.
No, if you really want to stir things up, start an article on slashdot, let the posters whip themselves into a frenzy, then move slashdot into the ghetto space the next day. It's cruel, but it sure would be fun. And you might even convince the slashdot people to do it. C
This will leave the clueless to buy a clue and stimulate the economy ;-)
- jared
-- Jared Mauch | pgp key available via finger from jared@puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine.
On Mon, 10 Mar 2003, E.B. Dreger wrote:
JSW> Date: 10 Mar 2003 15:23:52 -0500 JSW> From: Jeff S Wheeler
JSW> I repeat my suggestion that a number of DNS root-servers or JSW> gtld-servers be renumbered into 69/8 space. If the DNS JSW> "breaks" for these neglected networks, I suspect they will JSW> quickly get enough clue to fix their ACLs. JSW> JSW> Add Eddy's suggestion that the addresses all end in .0 or JSW> .255 and you have a fine machine for cleaning up a few old, JSW> irritating problems.
I suggest a rotation like so:
Jan-Apr: 69.w.w.0 Apr-Jul: 69.x.x.255 Jul-Oct: 70.y.y.0 Oct-Jan: 70.z.z.255
This wouldn't actually accomplish what you're trying to do. The resolvers that couldn't reach those root and/or TLD servers that are behind the 'broken' networks would simply shift their traffic to the ones that they could reach. The only thing you'd accomplish by this is an increased load on the root/TLD servers that are in their normal locations. Doug -- If it's moving, encrypt it. If it's not moving, encrypt it till it moves, then encrypt it some more.
DB> Date: Mon, 10 Mar 2003 13:00:15 -0800 (PST) DB> From: Doug Barton DB> This wouldn't actually accomplish what you're trying to do. No? DB> The resolvers that couldn't reach those root and/or TLD DB> servers that are behind the 'broken' networks would simply DB> shift their traffic to the ones that they could reach. The And which would those reachable ones be? DB> only thing you'd accomplish by this is an increased load DB> on the root/TLD servers that are in their normal locations. A: 69.0.1.255 B: 69.22.233.255 C: 69.87.152.255 : : : M: 69.255.254.255 The suggestion is to move ALL root, and as many TLD as possible, servers into the new space. Nobody has said "move one or two", which indeed would be ineffective. Eddy -- Brotsman & Dreger, Inc. - EverQuick Internet Division Bandwidth, consulting, e-commerce, hosting, and network building Phone: +1 (785) 865-5885 Lawrence and [inter]national Phone: +1 (316) 794-8922 Wichita ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Date: Mon, 21 May 2001 11:23:58 +0000 (GMT) From: A Trap <blacklist@brics.com> To: blacklist@brics.com Subject: Please ignore this portion of my mail signature. These last few lines are a trap for address-harvesting spambots. Do NOT send mail to <blacklist@brics.com>, or you are likely to be blocked.
On Mon, 10 Mar 2003, E.B. Dreger wrote:
The suggestion is to move ALL root, and as many TLD as possible, servers into the new space. Nobody has said "move one or two", which indeed would be ineffective.
Ah, sorry, I wasn't aware of the full extent of your crack-smoking-ness. :) You'll never get all of the root server operators to agree on this (or much of anything), so that leaves the root out (even if this were a good idea, which it isn't). Since for sufficiently useful definitions of "all," all of the TLD's are commercial entities, you'll never get them to volunteer to break their own domains, and their customers would riot if they did. Suffice it to say, this idea is never going to happen, although if it takes energy away from the "ldap is the solution to all problems" thread, feel free to keep discussing it. Doug -- If it's moving, encrypt it. If it's not moving, encrypt it till it moves, then encrypt it some more.
DB> Date: Mon, 10 Mar 2003 13:58:20 -0800 (PST) DB> From: Doug Barton DB> Ah, sorry, I wasn't aware of the full extent of your DB> crack-smoking-ness. :) You'll never get all of the root DB> server operators to agree on this (or much of anything), so I'm sorry, I'm having trouble grepping my mailbox. Can you post a link to the NANOG archives where you mentioned your superior solution and what exactly is wrong with the idea? *plonk* Eddy -- Brotsman & Dreger, Inc. - EverQuick Internet Division Bandwidth, consulting, e-commerce, hosting, and network building Phone: +1 (785) 865-5885 Lawrence and [inter]national Phone: +1 (316) 794-8922 Wichita ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Date: Mon, 21 May 2001 11:23:58 +0000 (GMT) From: A Trap <blacklist@brics.com> To: blacklist@brics.com Subject: Please ignore this portion of my mail signature. These last few lines are a trap for address-harvesting spambots. Do NOT send mail to <blacklist@brics.com>, or you are likely to be blocked.
On Mon, 10 Mar 2003, E.B. Dreger wrote:
The suggestion is to move ALL root, and as many TLD as possible, servers into the new space. Nobody has said "move one or two", which indeed would be ineffective.
So, you cant get people to fix bogons but you can get them all to fix their dns cache files overnight. I dont think so. And you want to push all the critical servers into a narrow set of IPs, that surely must have some implications for DoS more so than a well spread out set. I dont think your being realistic here and thinking thro properly.. Steve
Does anyone have any idea of the processing overhead that would be placed on a Cisco 7507 if you applied bogon and anti-spoof filters on a 100BT interface that faced the Internet, assuming VIP4-80 engines and 256Mb of memory? Simon Brilus Internet and Operations Manager Bulldog Communications Ltd. www.bulldogdsl.com
Does anyone have any idea of the processing overhead that would be placed on a Cisco 7507 if you applied bogon and anti-spoof filters on a 100BT interface that faced the Internet, assuming VIP4-80 engines and 256Mb of memory?
I assume you mean interface filters? If so I'd have thought that a 7507 would cope with this, but it depends on the rest of the boxs load etc. Regards, Neil.
CPU typically 22% Free memory 97Mb And I would assume access-lists TTFN Simon ----- Original Message ----- From: "Neil J. McRae" <neil@DOMINO.ORG> To: "Simon Brilus" <sbrilus@cableinet.net> Cc: <nanog@merit.edu> Sent: Tuesday, March 11, 2003 9:57 AM Subject: Re: Bogon and anti-spoof filters
Does anyone have any idea of the processing overhead that would be
placed on
a Cisco 7507 if you applied bogon and anti-spoof filters on a 100BT interface that faced the Internet, assuming VIP4-80 engines and 256Mb of memory?
I assume you mean interface filters? If so I'd have thought that a 7507 would cope with this, but it depends on the rest of the boxs load etc.
Regards, Neil.
From: "Simon Brilus"
Does anyone have any idea of the processing overhead that would be placed
on
a Cisco 7507 if you applied bogon and anti-spoof filters on a 100BT interface that faced the Internet, assuming VIP4-80 engines and 256Mb of memory?
It's not too bad. If it will support everything else you are doing, as it isn't as versatile, the VIP8 (or was it 6; no coffee yet) is primarily designed to handle complex access lists, or so an SE once told me. It didn't handle the other functionality I needed, so i stayed with the 4. -Jack
participants (12)
-
Charles Sprickman
-
Doug Barton
-
E.B. Dreger
-
Jack Bates
-
Jared Mauch
-
Jeff S Wheeler
-
jlewis@lewis.org
-
Kevin Loch
-
neil@DOMINO.ORG
-
Simon Brilus
-
Stephen J. Wilcox
-
william@elan.net