RE: Please Check Filters - BOGON Filtering IP Space 72.14.128.0/19
Wash, rinse, repeat for the other 70,000 routers you manage for customers... This is definitely NOT a half-rack in a colo fix. Just contacting the customers is a feat.
And I completely agree that it's a big pain to coordinate this. In the same hand, SBC and all other 'big' providers use BGP to dynamically update their routing tables. Their BOGON filtering should use the same sort of mechanism. If they're not going to use something like the Cymru BOGON BGP feed they should build their own and should have configured their managed routers to query that from the beginning. As more old-BOGON IP's come into play, more and more of the Internet is going to 'fall off' to these legacy route access list restricted routers. As much as I would have liked to coin the term 'network monkey', I read it in this thread by someone much more creative than I. :-) James Laszko Pipeline Communications, Inc. james@pcipros.com
On Thu, 20 Jan 2005, James Laszko wrote:
Wash, rinse, repeat for the other 70,000 routers you manage for customers... This is definitely NOT a half-rack in a colo fix. Just contacting the customers is a feat.
And I completely agree that it's a big pain to coordinate this. In the same hand, SBC and all other 'big' providers use BGP to dynamically update their routing tables. Their BOGON filtering should use the same
BGP holds destination info, the problem filters you speak of are MOST PROBABLY not BGP related at all, they are likely interface filters of the form: access-list 100 deny ip 0.0.0.0 0.255.255.255 any (assuming a cisco box of course, and this is a single line, hopefully they permit the customer network to get something as a last line in the acl)
sort of mechanism. If they're not going to use something like the Cymru BOGON BGP feed they should build their own and should have configured their managed routers to query that from the beginning. As more
This is impractical as the afore-mentioned 70,000 routers are likely not bgp capable (not all atleast, why buy that feature when all it'll ever do is static and conencted routes?).
old-BOGON IP's come into play, more and more of the Internet is going to 'fall off' to these legacy route access list restricted routers.
Perhaps they will see the problems and move to a better solution, perhaps their customers will ask for filter adjustments as these new pesky /8's you speak of are 'released' for people to use... what's an ip address again? :(
As much as I would have liked to coin the term 'network monkey', I read it in this thread by someone much more creative than I. :-)
Either way, it's not the monkeys in this case most likely. I'd bet at the least there is the issue of getting in touch with the customer, and initiatinng change at his/her/their request... why 'fix' something that isn't broken? there are hundreds of thousands of 2511's out there with 2MB of flash and 11.2 code still running on them. These will NEVER be upgraded to anything 'new' because cost to upgrade includes upgrading the hardware at 3k minimum per box... not to mention outages for customers who 'dont see a problem today' and don't like outages. -Chris
On Thu, 20 Jan 2005, James Laszko wrote:
sort of mechanism. If they're not going to use something like the Cymru BOGON BGP feed they should build their own and should have configured their managed routers to query that from the beginning. As more
How would this scale for say 200K routers? 2M? -Hank
Hi, Hank. ] How would this scale for say 200K routers? 2M? -Hank Dave Deitrich of Team Cymru will be presenting on this very topic at the next NANOG. Short answer: We're ready when you are. :) Thanks, Rob. -- Rob Thomas http://www.cymru.com Shaving with Occam's razor since 1999.
participants (4)
-
Christopher L. Morrow
-
Hank Nussbacher
-
James Laszko
-
Rob Thomas