We have run into an issue with the 107.7.0.0/16 assigned to us several months ago. It appears that many sites have not yet accepted this space. I understand this is not a normal type post to NANOG, but hoped to get the word out to as many operators as possible. Does anyone know of a better way to get the word out to ask people to update their BOGONs/filters? Dustin Swinford | Sr. IP/Ethernet Engineer <http://www.deltacom.com/> Deltacom | Integrated Communications and Technology Solutions
On 12/3/2010 4:09 PM, Dustin Swinford wrote:
We have run into an issue with the 107.7.0.0/16 assigned to us several months ago. It appears that many sites have not yet accepted this space. I understand this is not a normal type post to NANOG, but hoped to get the word out to as many operators as possible. Does anyone know of a better way to get the word out to ask people to update their BOGONs/filters?
The first takers in a space are hit the hardest. Rementioning here is important. Do a google search and find any pages still mentioning blocking the range. Contact them and ask them to update. Then you have to start the long list with others. it's recommended you setup a server with 2 IP addresses, one in the range, one outside the range, so that people can check against them both to verify that the problem is with the range itself. I've seen some networks that run automatic probes from both ranges and compare the results, automatically sending emails to whois contacts concerning the problem. Jack
On 12/03/2010 02:13 PM, Jack Bates wrote:
On 12/3/2010 4:09 PM, Dustin Swinford wrote:
We have run into an issue with the 107.7.0.0/16 assigned to us several months ago. It appears that many sites have not yet accepted this space. I understand this is not a normal type post to NANOG, but hoped to get the word out to as many operators as possible. Does anyone know of a better way to get the word out to ask people to update their BOGONs/filters?
The first takers in a space are hit the hardest. Rementioning here is important. Do a google search and find any pages still mentioning blocking the range. Contact them and ask them to update. Then you have to start the long list with others. it's recommended you setup a server with 2 IP addresses, one in the range, one outside the range, so that people can check against them both to verify that the problem is with the range itself. I've seen some networks that run automatic probes from both ranges and compare the results, automatically sending emails to whois contacts concerning the problem.
Is there much point to bogon filtering now? :) Mike, likely ignorant
In a message written on Fri, Dec 03, 2010 at 04:13:58PM -0600, Jack Bates wrote:
The first takers in a space are hit the hardest. Rementioning here is important. Do a google search and find any pages still mentioning blocking the range. Contact them and ask them to update. Then you have to start the long list with others. it's recommended you setup a server with 2 IP addresses, one in the range, one outside the range, so that people can check against them both to verify that the problem is with the range itself. I've seen some networks that run automatic probes from both ranges and compare the results, automatically sending emails to whois contacts concerning the problem.
For those not playing attention, the current bogon list should be: 0/8 10/8 39/8 102/8 103/8 104/8 106/8 127/8 172.16/12 179/8 185/8 192.168/16 224/3 It is speculated that no later than Q1, two more /8's will be allocated, triggering a policy that will give the remaining 5 /8's out to the RIR's. That means, prior to end of Q1, the bogon list will be: 0/8 10/8 127/8 172.16/12 192.168/16 224/3 I'd suggest it would be good if folks updated to that now, to prevent these sorts of problems. I promise, this time it is the last update you'll need to do. :) -- Leo Bicknell - bicknell@ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/
On Fri, 03 Dec 2010 14:24:16 PST, Leo Bicknell said:
It is speculated that no later than Q1, two more /8's will be allocated, triggering a policy that will give the remaining 5 /8's out to the RIR's. That means, prior to end of Q1, the bogon list will be:
0/8 10/8 127/8 172.16/12 192.168/16 224/3
Oh. And don't forget to do *bidirectional* filtering of these addresses. ;)
From: Valdis.Kletnieks@vt.edu
From: Valdis.Kletnieks@vt.edu Date: Fri, 03 Dec 2010 20:00:15 -0500
On Fri, 03 Dec 2010 14:24:16 PST, Leo Bicknell said:
It is speculated that no later than Q1, two more /8's will be allocated, triggering a policy that will give the remaining 5 /8's out to the RIR's. That means, prior to end of Q1, the bogon list will be:
0/8 10/8 127/8 172.16/12 192.168/16 224/3
Oh. And don't forget to do *bidirectional* filtering of these addresses. ;)
Ahh, not quite. Blocking 224/3 bi-directionally might cause a few issues if you accept multicast traffic from anyone. -- R. Kevin Oberman, Network Engineer Energy Sciences Network (ESnet) Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab) E-mail: oberman@es.net Phone: +1 510 486-8634 Key fingerprint:059B 2DDF 031C 9BA3 14A4 EADA 927D EBB3 987B 3751
"Kevin Oberman" <oberman@es.net> writes:
From: Valdis.Kletnieks@vt.edu
From: Valdis.Kletnieks@vt.edu Date: Fri, 03 Dec 2010 20:00:15 -0500
On Fri, 03 Dec 2010 14:24:16 PST, Leo Bicknell said:
It is speculated that no later than Q1, two more /8's will be allocated, triggering a policy that will give the remaining 5 /8's out to the RIR's. That means, prior to end of Q1, the bogon list will be:
0/8 10/8 127/8 172.16/12 192.168/16 224/3
Oh. And don't forget to do *bidirectional* filtering of these addresses. ;)
Ahh, not quite. Blocking 224/3 bi-directionally might cause a few issues if you accept multicast traffic from anyone.
You mean like other routers that are speaking OSPF? :-) (people should understand the side effects of filtering before they conf t). -r
From: Valdis.Kletnieks@vt.edu
From: Valdis.Kletnieks@vt.edu Date: Fri, 03 Dec 2010 20:00:15 -0500
224/3 Oh. And don't forget to do *bidirectional* filtering of these addresses. ;) Ahh, not quite. Blocking 224/3 bi-directionally might cause a few issues if you accept multicast traffic from anyone.
240/4 appears to be reserved for "Future use"... "[15] Reserved for future use (formerly "Class E") [RFC1112]" -- http://goldmark.org/jeff/stupid-disclaimers/ http://linuxmafia.com/~rick/faq/plural-of-virus.html
On Mon, 06 Dec 2010 17:02:40 PST, somebody said:
From: Valdis.Kletnieks@vt.edu
From: Valdis.Kletnieks@vt.edu Date: Fri, 03 Dec 2010 20:00:15 -0500
224/3 Oh. And don't forget to do *bidirectional* filtering of these addresses. ;) Ahh, not quite. Blocking 224/3 bi-directionally might cause a few issues if you accept multicast traffic from anyone.
If you're smart enough to actually do multicast, you're smart enough to remove the filter for 224/3. If you're not smart enough to remove the filter, or you're smart enough but you're one of the 95% that doesn't do multicast, your site should be doing bidirectional filtering of 224/3. ;) (Do you really want your users emitting outbound packets to/from 224/3 if you don't actually do multicast? Probably not...)
On Dec 4, 2010, at 1:43 09AM, Kevin Oberman wrote:
From: Valdis.Kletnieks@vt.edu
From: Valdis.Kletnieks@vt.edu Date: Fri, 03 Dec 2010 20:00:15 -0500
On Fri, 03 Dec 2010 14:24:16 PST, Leo Bicknell said:
It is speculated that no later than Q1, two more /8's will be allocated, triggering a policy that will give the remaining 5 /8's out to the RIR's. That means, prior to end of Q1, the bogon list will be:
0/8 10/8 127/8 172.16/12 192.168/16 224/3
Oh. And don't forget to do *bidirectional* filtering of these addresses. ;)
Ahh, not quite. Blocking 224/3 bi-directionally might cause a few issues if you accept multicast traffic from anyone.
Bidirectional blocking of traffic with source addresses in 224/3 -- that should never happen unless I badly misunderstand multicast. --Steve Bellovin, http://www.cs.columbia.edu/~smb
Got an address we can ping? On 12/3/10 2:09 PM, Dustin Swinford wrote:
We have run into an issue with the 107.7.0.0/16 assigned to us several months ago. It appears that many sites have not yet accepted this space. I understand this is not a normal type post to NANOG, but hoped to get the word out to as many operators as possible. Does anyone know of a better way to get the word out to ask people to update their BOGONs/filters?
Dustin Swinford | Sr. IP/Ethernet Engineer
<http://www.deltacom.com/> Deltacom | Integrated Communications and Technology Solutions
On 12/3/2010 14:09, Dustin Swinford wrote:
We have run into an issue with the 107.7.0.0/16 assigned to us several months ago. It appears that many sites have not yet accepted this space. I understand this is not a normal type post to NANOG, but hoped to get the word out to as many operators as possible. Does anyone know of a better way to get the word out to ask people to update their BOGONs/filters?
Can you provide a pingable test address within that space? ~Seth
participants (11)
-
Dustin Swinford
-
Jack Bates
-
Jeroen van Aart
-
Joel Jaeggli
-
Kevin Oberman
-
Leo Bicknell
-
Michael Thomas
-
Robert E. Seastrom
-
Seth Mattinen
-
Steven Bellovin
-
Valdis.Kletnieks@vt.edu