At this time I am receiving a ton of bogus routes originating from AS701. This AS has hijacked all the /24 subnets of 128.1 through 128.1xx. Since the more specific route prevails in the cidr world they have managed to wipe out my network 128.9.0.0 not to mention a hundred other 128.x networks. This is not good. The third hand story I got from their hotline was that a core route crashed causing other core routers to crash. This doesn't explain anything to me. Are they using Ascend Giga routers in their core? Walt Prue
At this time I am receiving a ton of bogus routes originating from AS701. This AS has hijacked all the /24 subnets of 128.1 through 128.1xx. Since the more specific route prevails in the cidr world they have managed to wipe out my network 128.9.0.0 not to mention a hundred other 128.x networks.
Isn't this the kind of problems that the Doran filters are supposed to prevent? I understand that it is not to everyone's benefit to filter on the /19 boundary like Sprint does but it seems to be prudent to adopt a /8 filter on most of the old class A space and a /16 filter on the old class B space. Other than the need to update these filters as the former class A space is subdivided I can see no major downside. Comments? ******************************************************** Michael Dillon voice: +1-650-482-2840 Senior Systems Architect fax: +1-650-482-2844 PRIORI NETWORKS, INC. http://www.priori.net "The People You Know. The People You Trust." ********************************************************
On Wed, 8 Oct 1997, Michael Dillon wrote:
At this time I am receiving a ton of bogus routes originating from AS701. This AS has hijacked all the /24 subnets of 128.1 through 128.1xx. Since the more specific route prevails in the cidr world they have managed to wipe out my network 128.9.0.0 not to mention a hundred other 128.x networks.
Isn't this the kind of problems that the Doran filters are supposed to prevent?
I understand that it is not to everyone's benefit to filter on the /19 boundary like Sprint does but it seems to be prudent to adopt a /8 filter on most of the old class A space and a /16 filter on the old class B space. Other than the need to update these filters as the former class A space is subdivided I can see no major downside.
And networks that 1) do prefix filtering of peers, or 2) have the satanic phylters in place didn't even notice yesterday's snafu. -dorian
On Wed, 8 Oct 1997, Michael Dillon wrote:
And networks that 1) do prefix filtering of peers, or 2) have the satanic phylters in place didn't even notice yesterday's snafu.
-dorian
Unless you were in the select list of prefixes that UUnet "borrowed" and were trying to talk to UUnet downstreams. --bill
On Wed, Oct 08, 1997 at 09:11:27AM -0700, Michael Dillon wrote:
Isn't this the kind of problems that the Doran filters are supposed to prevent?
Yes.
I understand that it is not to everyone's benefit to filter on the /19 boundary like Sprint does but it seems to be prudent to adopt a /8 filter on most of the old class A space and a /16 filter on the old class B space. Other than the need to update these filters as the former class A space is subdivided I can see no major downside.
I for one am going to implement such filters ASAP, and I hope others will do the same... It might be a good idea for providers to put up web pages on their policy for accepting external announcements, for reference purposes. Alec -- +------------------------------------+--------------------------------------+ |Alec Peterson - ahp@hilander.com | Erols Internet Services, INC. | |Network Engineer | Springfield, VA. | +------------------------------------+--------------------------------------+
On Wed, Oct 08, 1997 at 02:05:05PM -0400, Alec H. Peterson wrote:
I for one am going to implement such filters ASAP, and I hope others will do the same...
I installed the ACL Sean posted back in December of '95, updated by changes he posted in June of '96. Is that list still reasonable? -- David Carmean <dlc@avtel.net> Avtel Communications, Santa Barbara, CA +1-805-730-7740 Opinions herein are those of the author only, unless otherwise noted "Karma Police, arrest this man!" --Radiohead
On Wed, Oct 08, 1997 at 07:39:52PM -0700, David Carmean wrote:
I installed the ACL Sean posted back in December of '95, updated by changes he posted in June of '96. Is that list still reasonable?
I'm pretty sure that is the version that filters >=207 at /19 (instead of /18 which is where he initially put the filter). However, keep in mind that the registries have been allocating space out of old class A space, which all versions of his filter I've seen _will_ block. So, depending on your policy you would want to add: access-list xxx permit ip 62.0.0.0 0.255.255.255 0.0.0.0 255.255.255.0 Do that for 24/8, 62/8 and any other blocks that the IANA has released to a registry (I think Dorian mentioned 63/8 and 64/8 as well). Of course, if you want to filter on /19 then your mask will be a little different. Of course, one can just do what Randy suggested and filter all class A space at /19 and be done with it. Alec -- +------------------------------------+--------------------------------------+ |Alec Peterson - ahp@hilander.com | Erols Internet Services, INC. | |Network Engineer | Springfield, VA. | +------------------------------------+--------------------------------------+
(I think Dorian mentioned 63/8 and 64/8 as well).
61/8, not 64/8. APNIC will be starting to allocate out of 61/8 RSN, so if you want to modify your filters, note that APNIC will _not_ be allocating anything longer than a /18 (not even /19s). I believe RIPE has a similar policy on 62/8, but I'm sure they'll correct me if I'm wrong. Regards, -drc
From: "C. Harald Koch" <chk@utcc.utoronto.ca> Date: Wed, 8 Oct 1997 14:38:49 -0400 Sender: owner-nanog@merit.edu
Proper PRDB based filters would have stemmed this too. Why isn't everyone using them these days?
Been at this for a few years, I bet. The PRDB is long dead. These days I suggest building filters from the IRR registries. There are problems (depending on router) in filtering the larger providers like UUNET and MCI. The lists get pretty long. And SprintLink does not participate in the IRR beyond registering routes, so it's not that easy. It is a VERY good idea, though. -- R. Kevin Oberman, Network Engineer Energy Sciences Network (ESnet) Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab) E-mail: oberman@es.net Phone: +1 510 486-8634
At this time I am receiving a ton of bogus routes originating from AS701. This AS has hijacked all the /24 subnets of 128.1 through 128.1xx. Since the more specific route prevails in the cidr world they have managed to wipe out my network 128.9.0.0 not to mention a hundred other 128.x networks.
Isn't this the kind of problems that the Doran filters are supposed to
At 09:11 AM 10/8/97 -0700, Michael Dillon wrote: prevent?
I understand that it is not to everyone's benefit to filter on the /19 boundary like Sprint does but it seems to be prudent to adopt a /8 filter on most of the old class A space and a /16 filter on the old class B space. Other than the need to update these filters as the former class A space is subdivided I can see no major downside.
Comments?
What about the cable providers that have chunks of 24/8? -Steve
On Wed, 8 Oct 1997, Steve Meuse wrote:
At 09:11 AM 10/8/97 -0700, Michael Dillon wrote:
I understand that it is not to everyone's benefit to filter on the /19 boundary like Sprint does but it seems to be prudent to adopt a /8 filter on most of the old class A space and a /16 filter on the old class B space. Other than the need to update these filters as the former class A space is subdivided I can see no major downside.
Comments?
What about the cable providers that have chunks of 24/8?
62/8, 63/8 and 64/8 are being assigned now. So you just relax the filters according to what's being assigned. -dorian
In article <Pine.GSO.3.96.971008141916.316n-100000@thorn.blackrose.org>, Dorian R. Kim <dorian@blackrose.org> wrote:
On Wed, 8 Oct 1997, Steve Meuse wrote:
At 09:11 AM 10/8/97 -0700, Michael Dillon wrote:
I understand that it is not to everyone's benefit to filter on the /19 boundary like Sprint does but it seems to be prudent to adopt a /8 filter on most of the old class A space and a /16 filter on the old class B space. Other than the need to update these filters as the former class A space is subdivided I can see no major downside.
Comments?
What about the cable providers that have chunks of 24/8?
62/8, 63/8 and 64/8 are being assigned now.
Not quite, part or all 62/8 is being assigned by RIPE NCC in Europe, and they don't give out smaller netblocks than /19's. We have 62.216/19 for example. The not smaller than /19 is common policy of RIPE btw. Mike. -- Miquel van | Cistron Internet Services -- Alphen aan den Rijn. Smoorenburg, | mailto:info@cistron.nl http://www.cistron.nl/ miquels@cistron.nl | Our vision is to speed up time, eventually eliminating it.
Not quite, part or all 62/8 is being assigned by RIPE NCC in Europe, and they don't give out smaller netblocks than /19's. We have 62.216/19 for example. The not smaller than /19 is common policy of RIPE btw.
RIPE are indeed assigning from all of 62.0.0.0/8 and, as per the policy and procedures document ripe-155, are doing so as Miquel says i.e. in blocks of /19 or more. On Monday, the RIPE NCC reported 50 allocations so far, with almost 75% of these appearing in the routing tables. It would be nice if we all got really classless and made this 100%. Mike Norris
... but it seems to be prudent to adopt a /8 filter on most of the old class A space and a /16 filter on the old class B space. Other than the need to update these filters as the former class A space is subdivided I can see no major downside.
What about the cable providers that have chunks of 24/8?
That's one of the reasons that I said "most of" the old Class A space. And since there will be continued carving up of blocks in the Class A space those filters will need to be revisited from time to time. ******************************************************** Michael Dillon voice: +1-650-482-2840 Senior Systems Architect fax: +1-650-482-2844 PRIORI NETWORKS, INC. http://www.priori.net "The People You Know. The People You Trust." ********************************************************
On Tue, 7 Oct 1997 19:17:24 -0700 prue@ISI.EDU wrote:
This is not good.
The third hand story I got from their hotline was that a core route crashed causing other core routers to crash. This doesn't explain anything to me. Are they using Ascend Giga routers in their core?
As someone who uses GRFs I'd like to point out that it must have been operator/configuration error that caused this and _not_ some bug in Ascend code, don't blame the router as it has all the filtering capabilities a Cisco has. Regards, Neil. -- Neil J. McRae. Alive and Kicking. Domino: In the glow of the night. neil@DOMINO.ORG NetBSD/sparc: 100% SpF (Solaris protection Factor) Free the daemon in your <A HREF="http://www.NetBSD.ORG/">computer!</A>
participants (13)
-
Alec H. Peterson
-
bmanning@ISI.EDU
-
C. Harald Koch
-
David Carmean
-
David R. Conrad
-
Dorian R. Kim
-
Kevin Oberman
-
Michael Dillon
-
Mike Norris
-
miquels@cistron.nl
-
Neil J. McRae
-
prue@ISI.EDU
-
Steve Meuse