This is a reminder of ARIN's message sent to NANOG on 10 September, 1999. On November 22, 1999, ARIN will begin making allocations from the 64.0.0.0/8 block. This will include allocations of /20 and shorter prefixes, according to ARIN's minimum allocation policy. For informational purposes, ARIN currently administers the following blocks: 24.0.0.0/8 (portions of) 63.0.0.0/8 64.0.0.0/8 196.0.0.0/8 198.0.0.0/8 199.0.0.0/8 200.0.0.0/8 204.0.0.0/8 205.0.0.0/8 206.0.0.0/8 207.0.0.0/8 208.0.0.0/8 209.0.0.0/8 216.0.0.0/8 Regards, American Registry for Internet Numbers (ARIN)
On Wed, Nov 10, 1999 at 10:39:21AM -0500, Richard Jimmerson wrote:
This is a reminder of ARIN's message sent to NANOG on 10 September, 1999.
On November 22, 1999, ARIN will begin making allocations from the 64.0.0.0/8 block. This will include allocations of /20 and shorter prefixes, according to ARIN's minimum allocation policy.
I might almost be happy, except this breaks the oh-so-nice filter of 64.0.0.0/2 at borders (effectively reduces random src spoofed attacks by 25%, and covers 127.0.0.0/8 as well). Go ARIN. </sarcasm> -- Richard A Steenbergen <ras@above.net> http://users.quadrunner.com/humble PGP Key ID: 0x60AB0AD1 (E5 35 10 1D DE 7D 8C A7 09 1C 80 8B AF B9 77 BB) AboveNet Communications - AboveSecure Network Security Engineer, Vienna VA
At 11:50 AM 11/10/99 -0500, Richard A Steenbergen <ras@above.net> wrote:
I might almost be happy, except this breaks the oh-so-nice filter of 64.0.0.0/2 at borders (effectively reduces random src spoofed attacks by 25%, and covers 127.0.0.0/8 as well). Go ARIN. </sarcasm>
One line becomes two in your ACL ? ip permit 64.0.0.0/8 ip deny 64.0.0.0/2 The CPU loss for one more ACL line is probably offsetting the gains of spoofed traffic pretty well. That will even scale for a little while, at least for /9 and /10 in the permit line, before you seriously have to think about how much still-unallocated space you will gratutiously allow through your ACL. bye,Kai
On Wed, Nov 10, 1999 at 12:01:54PM -0500, Kai Schlichting wrote:
At 11:50 AM 11/10/99 -0500, Richard A Steenbergen <ras@above.net> wrote:
I might almost be happy, except this breaks the oh-so-nice filter of 64.0.0.0/2 at borders (effectively reduces random src spoofed attacks by 25%, and covers 127.0.0.0/8 as well). Go ARIN. </sarcasm>
One line becomes two in your ACL ? ip permit 64.0.0.0/8 ip deny 64.0.0.0/2
The CPU loss for one more ACL line is probably offsetting the gains of spoofed traffic pretty well. That will even scale for a little while, at least for /9 and /10 in the permit line, before you seriously have to think about how much still-unallocated space you will gratutiously allow through your ACL.
Reality is its not that simple. If you are doing any other filters that might catch on 64.0.0.0/8, you'll need to drop those lines down to the end. Besides the obvious goal of cutting spoofed traffic, one of the primary uses of this kind of filter (for myself at any rate) is to save CPU when dealing with small packet high packet/sec random src attacks. Its not the end of the world, but its annoying and does not help matters any. *grumble* -- Richard A Steenbergen <ras@above.net> http://users.quadrunner.com/humble PGP Key ID: 0x60AB0AD1 (E5 35 10 1D DE 7D 8C A7 09 1C 80 8B AF B9 77 BB) AboveNet Communications - AboveSecure Network Security Engineer, Vienna VA
On Wed, Nov 10, 1999 at 11:50:57AM -0500, Richard Steenbergen wrote:
I might almost be happy, except this breaks the oh-so-nice filter of 64.0.0.0/2 at borders (effectively reduces random src spoofed attacks by 25%, and covers 127.0.0.0/8 as well). Go ARIN. </sarcasm>
The #'s have to come from somewhere, and 64/8 is just as good as any other chunk of address space. Maybe a charge of $1/yr should be imposed for all swamp space that is not currently annouced (or in one of the routing registries?). Think of all the unused address space that would be free when all the companies that are no longer in business don't pay their address space bill :). -- Steve Rubin, Packet Monkey & Pilot - ser@tch.org - http://www.tch.org/~ser/
On Wed, 10 Nov 1999, Steve Rubin wrote:
On Wed, Nov 10, 1999 at 11:50:57AM -0500, Richard Steenbergen wrote:
I might almost be happy, except this breaks the oh-so-nice filter of 64.0.0.0/2 at borders (effectively reduces random src spoofed attacks by 25%, and covers 127.0.0.0/8 as well). Go ARIN. </sarcasm>
Urm, last time I checked, ARIN was not in the position to arbitarily decide which /8 (of the reserved /8s) it would start assigning from next. That decision is in the hands of IANA ne ICANN.
The #'s have to come from somewhere, and 64/8 is just as good as any other chunk of address space. Maybe a charge of $1/yr should be imposed for
ISPs within the APNIC and RIPE ranges of 61/8 and 62/8 respectively have already gone through trying to get filters redone by US ISPs over the past few years. --==-- Bruce.
On Thu, Nov 11, 1999 at 07:02:27AM +1000, Bruce Campbell wrote:
The #'s have to come from somewhere, and 64/8 is just as good as any other chunk of address space. Maybe a charge of $1/yr should be imposed for
ISPs within the APNIC and RIPE ranges of 61/8 and 62/8 respectively have already gone through trying to get filters redone by US ISPs over the past few years.
I think you missed my point. "Back in the day" SRI and NSI handed out address space in any size chunk you could imagine asking for. How much of this isn't used (My guess: atleast %60 is unused). How many of these companies do not exist anymore? If you charged $1 for any allocation that wasn't being announced (the quickest way to figure out if its being used), then any block that wasn't paid for could easily be reassigned. Unless we want to go IPv6, the only solution to running out of address space is to get the space back that is assigned to non-existant companies. -- Steve Rubin, Packet Monkey & Pilot - ser@tch.org - http://www.tch.org/~ser/
I think you missed my point. "Back in the day" SRI and NSI handed out address space in any size chunk you could imagine asking for. How much of this isn't used (My guess: atleast %60 is unused). How many of these companies do not exist anymore? If you charged $1 for any allocation that wasn't being announced (the quickest way to figure out if its being used), then any block that wasn't paid for could easily be reassigned. Unless we want to go IPv6, the only solution to running out of address space is to get the space back that is assigned to non-existant companies.
As a small data point. Back when I worked for IANA, I managed to reclaim ~20% of the total IPv4 space. There are active discusions in many quarters on how to ensure that the feedback loop is closed and "dead" space is reclaimed for reuse. Of course money is a great driver, but there are reasons to have other tools in the toolbox, otherwise we could just run the Internet on a big DHCP server and be done with it... :) --bill
participants (6)
-
bmanning@vacation.karoshi.com
-
Bruce Campbell
-
Kai Schlichting
-
Richard Jimmerson
-
Richard Steenbergen
-
Steve Rubin