Checking bogon status of new address space
Hi, my company has just been allocated some new IPv4 address space, and I want to do some sort of automated testing to find out any ASs out there that haven't removed the /8 it's on from their bogon list (the allocation to our local registry only occurred in November last year). Has anybody attempted to do this? It is worth bothering? Currently I'm considering pulling out all the endpoint ASs out of the BGP table, finding at least one subnet for each of them and attempting to ping or reach other common ports on a single IP for each AS from our currently working address space, and then the new address space and comparing results. -- Regards, Oliver Hookins Anchor Systems
Please set up a pingable IP address for each new netblock and post it to NANOG with a request to have us ping it. It's not automated, but it's a good start. Frank -----Original Message----- From: Oliver Hookins [mailto:oliver.hookins@anchor.com.au] Sent: Friday, May 08, 2009 12:34 AM To: nanog@nanog.org Subject: Checking bogon status of new address space Hi, my company has just been allocated some new IPv4 address space, and I want to do some sort of automated testing to find out any ASs out there that haven't removed the /8 it's on from their bogon list (the allocation to our local registry only occurred in November last year). Has anybody attempted to do this? It is worth bothering? Currently I'm considering pulling out all the endpoint ASs out of the BGP table, finding at least one subnet for each of them and attempting to ping or reach other common ports on a single IP for each AS from our currently working address space, and then the new address space and comparing results. -- Regards, Oliver Hookins Anchor Systems
On May 8, 2009, at 2:44 PM, Frank Bulk wrote:
Please set up a pingable IP address for each new netblock and post it to NANOG with a request to have us ping it. It's not automated, but it's a good start.
Frank
You might also want to have a look at the RIPE NCC's beacon stuff: http://www.ripe.net/ris/docs/beacon.html I do recall them to use this mechanism to test new iana assignments (/ 8) they got. Grtx, Marco
Hi, Yes, we do this for all new /8 issued to RIR's. You can find the details here: http://www.ris.ripe.net/debogon/ Regards, Wolfgang Marco Hogewoning wrote:
On May 8, 2009, at 2:44 PM, Frank Bulk wrote:
Please set up a pingable IP address for each new netblock and post it to NANOG with a request to have us ping it. It's not automated, but it's a good start.
Frank
You might also want to have a look at the RIPE NCC's beacon stuff:
http://www.ripe.net/ris/docs/beacon.html
I do recall them to use this mechanism to test new iana assignments (/8) they got.
Grtx,
Marco
On Fri, 8 May 2009, Oliver Hookins wrote:
my company has just been allocated some new IPv4 address space, and I want to do some sort of automated testing to find out any ASs out there that haven't removed the /8 it's on from their bogon list (the allocation to our local registry only occurred in November last year).
Has anybody attempted to do this?
I don't think so. If I'd done this a little more than 6 years ago, I'd remember it, wouldn't I?
It is worth bothering?
Depends on what you're going to use the IPs for. If you did just a bit of googling, you'd find all sorts of info on this topic. ---------------------------------------------------------------------- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
Having recently received some de-bogon'ed addressing in or about this March, I can tell you that the one problem I had was people that had not updated their Bind Bogon filters ( http://www.cymru.com/Documents/secure-bind-template.html) and so were not responding to requests from our address space, so we just moved our dns cache boxes back to our older Level3 address space. Took a while to figure that one out though. Steve 2009/5/7 Oliver Hookins <oliver.hookins@anchor.com.au>
Hi,
my company has just been allocated some new IPv4 address space, and I want to do some sort of automated testing to find out any ASs out there that haven't removed the /8 it's on from their bogon list (the allocation to our local registry only occurred in November last year).
Has anybody attempted to do this? It is worth bothering? Currently I'm considering pulling out all the endpoint ASs out of the BGP table, finding at least one subnet for each of them and attempting to ping or reach other common ports on a single IP for each AS from our currently working address space, and then the new address space and comparing results.
-- Regards, Oliver Hookins Anchor Systems
Hi, Steve.
Having recently received some de-bogon'ed addressing in or about this March, I can tell you that the one problem I had was people that had not updated their Bind Bogon filters ( http://www.cymru.com/Documents/secure-bind-template.html) ...
This is the primary reason we removed the static bogon lists from our Secure [BIND|IOS|BGP] Templates. My thanks to Randy Bush (and a few other folks) for the suggestion. We still have the bogon list and the dynamic bogon route-servers. <https://www.team-cymru.org/Services/Bogons/> Thanks, Rob. -- Rob Thomas Team Cymru http://www.team-cymru.org/ cmn_err(CEO_PANIC, "Out of coffee!");
In a message written on Fri, May 08, 2009 at 12:27:29PM -0500, Rob Thomas wrote:
This is the primary reason we removed the static bogon lists from our Secure [BIND|IOS|BGP] Templates. My thanks to Randy Bush (and a few other folks) for the suggestion.
I want to thank Team Cymru for their effort in maintaining this list over time, it's done a lot of people a lot of good. I would also like to recommend that it's time to completely update the text on http://www.cymru.com/Documents/bogon-list.html to reflect the new reality. Looking at http://www.cymru.com/Documents/bogon-bn-nonagg.txt (bogns, bit notation, not aggregated) I see there are only 39 entries in the list. Ten of these entries are martians, and should remain: 0.0.0.0/8 10.0.0.0/8 127.0.0.0/8 169.254.0.0/16 172.16.0.0/12 192.0.2.0/24 192.168.0.0/16 198.18.0.0/15 223.0.0.0/8 224.0.0.0/3 The other 29 are the unallocated /8's: 1.0.0.0/8 2.0.0.0/8 5.0.0.0/8 14.0.0.0/8 23.0.0.0/8 27.0.0.0/8 31.0.0.0/8 36.0.0.0/8 37.0.0.0/8 39.0.0.0/8 42.0.0.0/8 46.0.0.0/8 49.0.0.0/8 50.0.0.0/8 100.0.0.0/8 101.0.0.0/8 102.0.0.0/8 103.0.0.0/8 104.0.0.0/8 105.0.0.0/8 106.0.0.0/8 107.0.0.0/8 175.0.0.0/8 176.0.0.0/8 177.0.0.0/8 179.0.0.0/8 181.0.0.0/8 182.0.0.0/8 185.0.0.0/8 29/256 = 11% of the available address space. My argument is, if someone is scanning you from random source addresses blocking 10% of the scan traffic is reaching a point of very little return for the effort of updating the address lists, and as we all know it is getting smaller and smaller. To that end, I believe the recommendation should be to move to a martian-only filter over the next 12-24 months. This lines up with the time frame at which all /8's are likely to be allocated. Of course the full list of unallocated /8's should still be produced for those who want it, I'm not advocating that anything go away, just that I feel like we are at the point where the value of the list is lower than the effort to maintain it for the /average/ user of the list. I think this is in-line with the removal of the static bogon filters from the secure templates and would provide better advice to people reading the document for the first time. -- Leo Bicknell - bicknell@ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/
29/256 = 11% of the available address space. My argument is, if someone is scanning you from random source addresses blocking 10% of the scan traffic is reaching a point of very little return for the effort of updating the address lists, and as we all know it is getting smaller and smaller.
True, but, random is not the only thing at issue here. It is popular for fraudulent web sites to set up within these unallocated /8s, and, having them rejected by route filters is a good thing. Having Team Cymru able to further deploy lists of addresses with no valid POCs will be an additional win in this arena, and, I encourage them to do so.
To that end, I believe the recommendation should be to move to a martian-only filter over the next 12-24 months. This lines up with the time frame at which all /8's are likely to be allocated. Of course the full list of unallocated /8's should still be produced for those who want it, I'm not advocating that anything go away, just that I feel like we are at the point where the value of the list is lower than the effort to maintain it for the /average/ user of the list.
I think that's premature at best, and, a boon to abuse at worst. Owen
29/256 = 11% of the available address space. My argument is, if someone is scanning you from random source addresses blocking 10% of the scan traffic is reaching a point of very little return for the effort of updating the address lists, and as we all know it is getting smaller and smaller.
Granted, if the filters aren't updated very frequently, they're pretty bad. But.. I would suggest, basically, filtering bogons is still great and pretty important, it serves as an ongoing deterrant against random unruly networks trying to pick up the unassigned addresses, or treating the space as "Up for grabs" just because some space happens to be unannounced (and unassigned). This is a behavioral effect: possibly fewer scans are attempted from those networks than would be attempted if nobody filtered bogons. As a result, the assumption of randomness may not be warranted; if bogons weren't filtered, there would be reasons hijackers would target them (not having a "legitimate assignee" to contend with); 10% of the space doesn't mean 10% of the scans; it could mean 40% of the scans, if enough scanners had a policy of preferring to scan from unassigned space. With looming IP exhaustion it's possibly even more important... I'd be worried about this scenario: APNIC denied your /12 request? No problem... pick a random bogon from the last 30 unassigned /8s and somehow sneak a line into your Tier1 provider contracts requiring they propagate only your announcements to the /12.... The space might otherwise be very enticing for evil scanners to use, because it's "easy pickings" no legitimate assignee of the address space to hunt them down and send armies of lawyers on a raid... -- -J
James Hess <mysidia@gmail.com> writes:
29/256 = 11% of the available address space. My argument is, if someone is scanning you from random source addresses blocking 10% of the scan traffic is reaching a point of very little return for the effort of updating the address lists, and as we all know it is getting smaller and smaller.
Granted, if the filters aren't updated very frequently, they're pretty bad.
That's the usual state of affairs, unfortunately.
But.. I would suggest, basically, filtering bogons is still great and pretty important, it serves as an ongoing deterrant against random unruly networks trying to pick up the unassigned addresses, or treating the space as "Up for grabs" just because some space happens to be unannounced (and unassigned).
Gotta agree with Leo here. We can't even get people to implement BCP-38, which is nine years old for crying out loud. The deployment level at which bogon filtering is a deterrent to squatting is quite a bit higher from the point at which it becomes an issue to legitimate users. I've considered static bogon filters to be a Worst Current Practice for years. If you feel you absolutely must engage in the practice use a dynamic feed like Cymru's, but honestly, just let it go. -r
Ran across two different DNS hosters in the last two weeks that were blocking space that was de-bogoned 2.5 years ago... =( One started as an e-mail issue, the other as a web access. The e-mail issue showed up as the server sending the sender an "I can't deliver this e-mail because I can't resolve the DNS info", and digs from the e-mail server confirmed the case. Testing from our old IP address space worked, so it was clear it was some kind of block based on IP address. The web browsing one was easy, too, because the customer was able to browse (when they had old DNS servers) and then couldn't (when we handed out new DNS servers). Since the e-mail issue was fresh in our mind, it was one of the first things we tested. I hope both DNS hosters took the time to update the rest of their bogon lists, too, not just remove our space from the bogon list. Frank -----Original Message----- From: Steve Dalberg [mailto:steve+nanog@sendithere.com] Sent: Friday, May 08, 2009 9:45 AM To: Oliver Hookins Cc: nanog@nanog.org Subject: Re: Checking bogon status of new address space Having recently received some de-bogon'ed addressing in or about this March, I can tell you that the one problem I had was people that had not updated their Bind Bogon filters ( http://www.cymru.com/Documents/secure-bind-template.html) and so were not responding to requests from our address space, so we just moved our dns cache boxes back to our older Level3 address space. Took a while to figure that one out though. Steve 2009/5/7 Oliver Hookins <oliver.hookins@anchor.com.au>
Hi,
my company has just been allocated some new IPv4 address space, and I want to do some sort of automated testing to find out any ASs out there that haven't removed the /8 it's on from their bogon list (the allocation to our local registry only occurred in November last year).
Has anybody attempted to do this? It is worth bothering? Currently I'm considering pulling out all the endpoint ASs out of the BGP table, finding at least one subnet for each of them and attempting to ping or reach other common ports on a single IP for each AS from our currently working address space, and then the new address space and comparing results.
-- Regards, Oliver Hookins Anchor Systems
Thanks for all your suggestions on this topic. For what it's worth, I attempted a few of the suggestions as well as my own idea and documented the outcomes here: http://www.anchor.com.au/blog/2009/05/testing-your-connectivity/ In summary, there's no definitive method for testing your connectivity is perfect (obviously) but I was able to determine (hopefully with reasonable accuracy) that there are a significant amount of ASs out there not reachable from our new address space, at least by IPv4 ICMP. -- Regards, Oliver Hookins Anchor Systems
Oliver Hookins wrote:
Hi,
my company has just been allocated some new IPv4 address space, and I want to do some sort of automated testing to find out any ASs out there that haven't removed the /8 it's on from their bogon list (the allocation to our local registry only occurred in November last year).
IMHO, if a network doesn't either update filters based on IANA notifications or follow Cymru BOGON, then they don't deserve to receive traffic from your network ;)
Has anybody attempted to do this? It is worth bothering? Currently I'm considering pulling out all the endpoint ASs out of the BGP table, finding at least one subnet for each of them and attempting to ping or reach other common ports on a single IP for each AS from our currently working address space, and then the new address space and comparing results.
Sounds like a major PITA. Why not tell us what the prefix is that you have, and we can ensure that our filters our clean? Probably easier asking a few 'NOGs than it is sweeping a few thousand prefixes. Steve
On Fri, 8 May 2009, Steve Bertrand wrote:
IMHO, if a network doesn't either update filters based on IANA notifications or follow Cymru BOGON, then they don't deserve to receive traffic from your network ;)
See how far you get telling customers that after you've given them recently debogonized space. ---------------------------------------------------------------------- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
participants (12)
-
Frank Bulk
-
James Hess
-
Jon Lewis
-
Leo Bicknell
-
Marco Hogewoning
-
Oliver Hookins
-
Owen DeLong
-
Rob Thomas
-
Robert E. Seastrom
-
Steve Bertrand
-
Steve Dalberg
-
Wolfgang Nagele