Our whole netblock 202.154.64.0/18 seems to be barred from anything .mil. Domain name resolution, MX, IP traceroute, the lot. Anyone able to shed any light on this? Any advice/feedback appreciated. Regards, Steve
On Fri, 30 May 2003, Steve Waddington wrote:
Our whole netblock 202.154.64.0/18 seems to be barred from anything .mil. Domain name resolution, MX, IP traceroute, the lot.
Anyone able to shed any light on this?
note, I don't work for the DoD (.mil owners) BUT, this isn't the first time someone has mentioned this kind of problem... normally the 'reason' is: "Hackers came from there" or "we don't want to allow these folks access to our network for 'other' reasons" In reality its their little piece of the pie, if they don't want you to eat it they can keep you outta the fridge :(
Any advice/feedback appreciated.
Regards,
Steve
Thus spake "Steve Waddington" <stevew@onet.com.au>
Our whole netblock 202.154.64.0/18 seems to be barred from anything .mil. Domain name resolution, MX, IP traceroute, the lot.
Anyone able to shed any light on this?
US DoD has a longstanding policy of blocking all addresses which appear to be of non-US origin. Your block comes from APNIC, so that's probably what's happening to you. S Stephen Sprunk "God does not play dice." --Albert Einstein CCIE #3723 "God is an inveterate gambler, and He throws the K5SSS dice at every possible opportunity." --Stephen Hawking
--On Friday, May 30, 2003 21:15 +0800 Steve Waddington <stevew@onet.com.au> wrote:
Our whole netblock 202.154.64.0/18 seems to be barred from anything .mil. Domain name resolution, MX, IP traceroute, the lot.
Anyone able to shed any light on this?
In recent times, a lot of .mil have thrown up a whole bunch of null routes to large sections of international address space. Good luck getting them removed
In recent times, a lot of .mil have thrown up a whole bunch of null routes to large sections of international address space. Good luck getting them removed
as this means they have a different definition of the internet than the one to which i, and i suspect others, are used, why should i and others accept their routes? randy
--On Friday, May 30, 2003 11:00 -0700 Randy Bush <randy@psg.com> wrote:
In recent times, a lot of .mil have thrown up a whole bunch of null routes to large sections of international address space. Good luck getting them removed
as this means they have a different definition of the internet than the one to which i, and i suspect others, are used, why should i and others accept their routes?
I don't know. Why should you?
Thus spake "Randy Bush" <randy@psg.com>
In recent times, a lot of .mil have thrown up a whole bunch of null routes to large sections of international address space. Good luck getting them removed
as this means they have a different definition of the internet than the one to which i, and i suspect others, are used, why should i and others accept their routes?
For the same reason anyone else accepts their routes -- because they want to be able to reach them. If they don't want to reach _you_, that's their choice. Nothing prohibits any part on the internet from blocking other parties they believe to be dangerous, whether it be due to warfare, spam, or other considerations. S Stephen Sprunk "God does not play dice." --Albert Einstein CCIE #3723 "God is an inveterate gambler, and He throws the K5SSS dice at every possible opportunity." --Stephen Hawking
At 01:15 PM 30/05/2003 -0500, Stephen Sprunk wrote:
For the same reason anyone else accepts their routes -- because they want to be able to reach them. If they don't want to reach _you_, that's their choice.
As Sean Donelan pointed out, the fact that 2 of the root name servers are inside their network, there is more to the issue than you suggest.... I for example want people in Australia to be able to reliably lookup DNS info on my domains. The .mil people have decided to hamper this process. ---Mike
On Fri, 30 May 2003, Mike Tancsa wrote:
At 01:15 PM 30/05/2003 -0500, Stephen Sprunk wrote:
For the same reason anyone else accepts their routes -- because they want to be able to reach them. If they don't want to reach _you_, that's their choice.
As Sean Donelan pointed out, the fact that 2 of the root name servers are inside their network, there is more to the issue than you suggest.... I for example want people in Australia to be able to reliably lookup DNS info on my domains. The .mil people have decided to hamper this process.
I agree. The root servers should have no filtering in place to block any demographics (unless of course a given node is DoSing them). The last time I tried to contact a .mil to report an open relay that was being abused, I was accused of being a spammer that had "hacked" their server. Since that time I reject .mil mail. Justin
Suggestion: migrate the current MIL root servers to the DREN network. Thus they would be easily accessible from DoD's networks, while residining in front of any MIL filters or blackhole routers relative to the rest of the Internet.
On Fri, 30 May 2003, Mike Tancsa wrote:
At 01:15 PM 30/05/2003 -0500, Stephen Sprunk wrote:
For the same reason anyone else accepts their routes --
because they want to
be able to reach them. If they don't want to reach _you_, that's their choice.
As Sean Donelan pointed out, the fact that 2 of the root name servers are inside their network, there is more to the issue than you suggest.... I for example want people in Australia to be able to reliably lookup DNS info on my domains. The .mil people have decided to hamper this process.
I agree. The root servers should have no filtering in place to block any demographics (unless of course a given node is DoSing them).
The last time I tried to contact a .mil to report an open relay that was being abused, I was accused of being a spammer that had "hacked" their server. Since that time I reject .mil mail.
Justin
One already is. The H server resides at the Army Research Lab, which is connected to DREN (AS668). FWIW there is not a single homogeneous .mil network. There are several DoD networks that provide service to customer organizations, and some of the major public DoD sites are also directly connected to commercial ISP's. Also different services and sites may have different policies as to who they allow access from. So without knowing the destination address, it's hard to be able to tell someone who thinks they are being blocked who to contact. If you can't reach a site directly, try their upstream providers and see if they can help provide a POC. Try looking at the aspath for the destination, and if any of the following show up, try these POC's: AS668 (DREN) 866-NOC-DREN or noc@dren.net AS7170 (ATT-DISC) 888-DISC-USA or noc@att-disc.net AS568 (DISN) DISA GNOSC at 703-607-4001 or the Columbus RNOSC at 800-554-3476 For security related issues, try contacting the DoD CERT (www.cert.mil, 800-357-4231). All of the services have their own CERT as well, however they all coordinate with this organization. -Mark Ganzer Space & Naval Warfare Systems Center, San Diego ganzer@spawar.navy.mil note: this is posted from my personal email account, not my work account). Mark Borchers wrote:
Suggestion: migrate the current MIL root servers to the DREN network. Thus they would be easily accessible from DoD's networks, while residining in front of any MIL filters or blackhole routers relative to the rest of the Internet.
On Fri, 30 May 2003, Mike Tancsa wrote:
At 01:15 PM 30/05/2003 -0500, Stephen Sprunk wrote:
For the same reason anyone else accepts their routes --
because they want to
be able to reach them. If they don't want to reach _you_, that's their choice.
As Sean Donelan pointed out, the fact that 2 of the root name
servers are
inside their network, there is more to the issue than you
suggest.... I for
example want people in Australia to be able to reliably lookup
DNS info on
my domains. The .mil people have decided to hamper this process.
I agree. The root servers should have no filtering in place to block any demographics (unless of course a given node is DoSing them).
The last time I tried to contact a .mil to report an open relay that was being abused, I was accused of being a spammer that had "hacked" their server. Since that time I reject .mil mail.
Justin
Cough, bad idea, cough. From past experience I don't think that you'll find the DREN to be substantially more reliable as far as reachability and blocking policies go than most of the rest of .mil. It USED to be more open, but there were some policy changes, some peering arangements, and voila they are under the same guidelines.
Suggestion: migrate the current MIL root servers to the DREN network. Thus they would be easily accessible from DoD's networks, while residining in front of any MIL filters or blackhole routers relative to the rest of the Internet.
On Fri, 30 May 2003, Mike Tancsa wrote:
At 01:15 PM 30/05/2003 -0500, Stephen Sprunk wrote:
For the same reason anyone else accepts their routes --
because they want to
be able to reach them. If they don't want to reach _you_, that's their choice.
As Sean Donelan pointed out, the fact that 2 of the root name servers are inside their network, there is more to the issue than you suggest.... I for example want people in Australia to be able to reliably lookup DNS info on my domains. The .mil people have decided to hamper this process.
I agree. The root servers should have no filtering in place to block any demographics (unless of course a given node is DoSing them).
The last time I tried to contact a .mil to report an open relay that was being abused, I was accused of being a spammer that had "hacked" their server. Since that time I reject .mil mail.
Justin
--
-=-=-=-=-=-=-<>-=-=-=-=-=-<>-=-=-=-=-=-<>-=-=-=-=-=-<>-=-=-=-=-=-=-< Ryan Mooney ryan@pcslink.com <-=-=-=-=-=-=-><-=-=-=-=-=-><-=-=-=-=-=-><-=-=-=-=-=-><-=-=-=-=-=-=->
On Fri, 30 May 2003, Randy Bush wrote: In another context, someone claimed that zone managers should be able to create zone-specific semantics, for something unique to that context. Eventually, the recieved wisdom available to that particular context was that zone-specific semantics would violate the law of minimum astonishment, and discussion of zone-specific semantics was barred by the process available to that context. Not accepting their difference is different from asserting that they may not differ.
On Fri, 30 May 2003, Randy Bush wrote:
In recent times, a lot of .mil have thrown up a whole bunch of null routes to large sections of international address space. Good luck getting them removed
as this means they have a different definition of the internet than the one to which i, and i suspect others, are used, why should i and others accept their routes?
If the .MIL network can't provide International Internet service, is it time to move the g.root-servers.net and h.root-servers.net off their current .MIL hosts to better locations to serve the entire Internet. Otherwise .MIL policies reduce the robustness of the overall Internet. Heck, even when Paul Vixie did his original black-hole lists, he made certain that even the worst spammers could still use f.root-servers.net.
Precedent, Randy, Precedent ! UUnet and few others a long time ago had a differing definition of "peering" that most of us thought, at the time... But were so BIG, we accepted their routes, anyway. * shrug * A secret black list is a real bugger if: No one is allowed to mention it exists. If you get on it, there is now way off, no "right of redress". No one can -tell- you you are on it. No one can tell you if you -aren't-..... And if you -somehow- figure out your on it, they can't admit it, or the -reason- you are on it, or take you off even if they wanted. Any and all of the above. On a lighter note, the US Senate recently unsealed the American McCarthy Hearing records. :O :* :} Randy Bush wrote:
In recent times, a lot of .mil have thrown up a whole bunch of null routes to large sections of international address space. Good luck getting them removed
as this means they have a different definition of the internet than the one to which i, and i suspect others, are used, why should i and others accept their routes?
randy
On Fri, 30 May 2003, John Payne wrote:
--On Friday, May 30, 2003 21:15 +0800 Steve Waddington <stevew@onet.com.au> wrote:
Our whole netblock 202.154.64.0/18 seems to be barred from anything .mil. Domain name resolution, MX, IP traceroute, the lot. Anyone able to shed any light on this? In recent times, a lot of .mil have thrown up a whole bunch of null routes to large sections of international address space. Good luck getting them removed
Maybe the rest of the net should return the favor and drop .mil routes until they decide to get working abuse@ and postmaster@ addresses. They seem to think its fine that .mil boxes can spam and attack civilian networks and apparently arent interested in hearing the complaints. -Dan -- [-] Omae no subete no kichi wa ore no mono da. [-]
On Fri, 30 May 2003, Dan Hollis wrote:
On Fri, 30 May 2003, John Payne wrote:
--On Friday, May 30, 2003 21:15 +0800 Steve Waddington <stevew@onet.com.au> wrote:
Our whole netblock 202.154.64.0/18 seems to be barred from anything .mil. Domain name resolution, MX, IP traceroute, the lot. Anyone able to shed any light on this? In recent times, a lot of .mil have thrown up a whole bunch of null routes to large sections of international address space. Good luck getting them removed
Maybe the rest of the net should return the favor and drop .mil routes until they decide to get working abuse@ and postmaster@ addresses. They seem to think its fine that .mil boxes can spam and attack civilian networks and apparently arent interested in hearing the complaints.
I can't and won't speak for others, but when i was handling abuse issues I never once had a problem making contact with responsible people at .mil sites to get issues addressed. 9 times out of 10 it took all of one phone call or one email. _____________________________________________________________________________ Tony Rowley | "To confine our attention to terrestrial Lansdowne PA USA | matters would be to limit the human spirit." rowley@netaxs.com | -- Professor Stephen Hawking
On Fri, 30 May 2003, Tony Rowley wrote:
I can't and won't speak for others, but when i was handling abuse issues I never once had a problem making contact with responsible people at .mil sites to get issues addressed. 9 times out of 10 it took all of one phone call or one email.
What email address? Last time we were smurfed by the army it took 3 months of phone calls to get them to stop it. -Dan -- [-] Omae no subete no kichi wa ore no mono da. [-]
On Fri, 30 May 2003, Dan Hollis wrote:
On Fri, 30 May 2003, Tony Rowley wrote:
I can't and won't speak for others, but when i was handling abuse issues I never once had a problem making contact with responsible people at .mil sites to get issues addressed. 9 times out of 10 it took all of one phone call or one email.
What email address?
Last time we were smurfed by the army it took 3 months of phone calls to get them to stop it.
From the info supplied in a lookup I'd do a little detective work and find a working website related to the domain in question and go from there. It's cheesy but it worked. _____________________________________________________________________________ Tony Rowley | "To confine our attention to terrestrial Lansdowne PA USA | matters would be to limit the human spirit." rowley@netaxs.com | -- Professor Stephen Hawking
On Fri, 30 May 2003, Tony Rowley wrote:
On Fri, 30 May 2003, Tony Rowley wrote:
I can't and won't speak for others, but when i was handling abuse issues I never once had a problem making contact with responsible people at .mil sites to get issues addressed. 9 times out of 10 it took all of one phone call or one email. What email address? Last time we were smurfed by the army it took 3 months of phone calls to get them to stop it. From the info supplied in a lookup I'd do a little detective work and find a working website related to the domain in question and go from
On Fri, 30 May 2003, Dan Hollis wrote: there. It's cheesy but it worked.
I guess you were lucky then, the addresses we were smurfed from had no related website, and the phone # on the whois was outdated. When I finally did manage to get a hold of a network engineer they didnt seem particularly interested in hearing about the problem. Hence it took 3 months of constant calling to get their smurf amps shut down. And they *still* dont have a working abuse@ or postmaster@ which imho is simpy irresponsible for such an organization. Someone should get sacked. -Dan -- [-] Omae no subete no kichi wa ore no mono da. [-]
Speaking on Deep Background, the Press Secretary whispered:
I guess you were lucky then, the addresses we were smurfed from had no related website, and the phone # on the whois was outdated.
When I finally did manage to get a hold of a network engineer they didnt seem particularly interested in hearing about the problem. Hence it took 3 months of constant calling to get their smurf amps shut down.
And they *still* dont have a working abuse@ or postmaster@ which imho is simpy irresponsible for such an organization. Someone should get sacked.
Your escalation route goes to the OSD-CIO (Office of Secretary Defense) in the 5-sided building. That was Art Money's office but I don't know if he's still there. I'd cc: the Inspector General for whichever branch as well...and the FTC. -- A host is a host from coast to coast.................wb8foz@nrk.com & no one will talk to a host that's close........[v].(301) 56-LINUX Unless the host (that isn't close).........................pob 1433 is busy, hung or dead....................................20915-1433
David Lesher wrote:
Your escalation route goes to the OSD-CIO (Office of Secretary Defense) in the 5-sided building. That was Art Money's office but I don't know if he's still there. I'd cc: the Inspector General for whichever branch as well...and the FTC.
In other words, when one can't get a response, check with NANOG. :) -Jack
participants (17)
-
Christopher L. Morrow
-
Dan Hollis
-
David Lesher
-
Eric Brunner-Williams in Portland Maine
-
Jack Bates
-
John Payne
-
listuser@numbnuts.net
-
Mark Borchers
-
Mark T. Ganzer
-
Mike Tancsa
-
Randy Bush
-
Richard Irving
-
Ryan Mooney
-
Sean Donelan
-
Stephen Sprunk
-
Steve Waddington
-
Tony Rowley