2008.02.20 NANOG 42 IPv4 PTR queries for unallocated space

Notes from day 4 of NANOG 42, we're on the home stretch now,
so there's only a bit more of my spewage to wade through before
we can resume our normal discussion of the imminent death of
the internet as we know it.

Again, apologies for typos, misspellings of names, etc.

Matt

2008.02.20 opening remarks and analysis of PTR
queries for IPv4 reserved addresses

Trying to measure use of unallocated IPv4 address
space

Starting with Leo Vigoda, working at IANA now.
leo.vigoda@icann.org

At last NANOG, did lightning talk about how people
were using unallocated space, but didn't show lots
of data.

Now, has a way to hopefully measure IPv4 addresses
that people are trying to use.

Not all the addresses, but at least one view of it.

Problem?
All unallocated unicast space will eventually be
allocated; no more free /8's in the IANA pool at
some point, as v6 won't get rolled out in time.

Some people are using the same addres space that's
currently in the 'unallocated' pool.

Tried to measure it by looking at DNS queries at
l.root for addresses in the unallocated blocks.
root servers provide in-addr.arpa delegations,
if a /8 isn't allocated, there's no delegation,
so the root servers see the queries.

Can't measure well-maintained networks with
split-horizon DNS, or with good egress filters.

Doesn't know how to measure truly private
internal use; if you have ideas, let him know.

Results slide; long blue line at the far left,
lots and lots of queries, then shallows off to
the right side; some old rubbish names in in-addr
people are querying for.

Left side is the fun stuff.

222/8, allocated to APNIC; not sure why it gets
a lot more queries than the other /8's. Could be
mail server lookups, since there's a lot of mail
that comes out of 222/8; could be one rogue server.
If you assume it's bogus, and chuck it out, data
'looks' better.
10/8 is near the top, as expected.
0/8 RFC3330
2/8 is unallocated; in the top 15 range. Odd there's
unallocated space so close to the top of the queries
range.
If you take out all the unallocated stuff, there's
still a lot of entries; looking at top 10 list:
2/8, 1/8, 23/8, 5/8, 100/8 is there at #5, which
is odd. the next /8's they *were* going to give
ARIN were 100/101, they decided to NOT give it
out to figure out why there's so many hits on it
in this round.

The top 10 list is the 30 day period ending sunday;
he also compared to statistics he used at the esNOG
meeting in madrid a few months ago.

Not very static; people leave top 10, new come on.

28dec-26jan, vs 19jan to 17feb

2/8 and 1/8 stay in #1 and #2
other /8s shift; 5/8 rises, 23/8 rises, 100/8
drops, 27/8 drops.

It's not static, there's movement, people are
shifting and shuffling blocks.

Not measuring the query source address and AS #
that could be gathered to inform people they're
trying to talk to unallocated space.

Only gathering from l.root, would be good to get
data from other root servers.

Leo's not a proper researcher, so would be good to
get skillset from a real researcher.

Would like to get data from nodes all over the
world to get more global information; can see if
there's more of a local component, or if this is
a global phenomenon. This would be a very big
data analysis challenge, combining l, k, and other
root server operators, and get a more complete view
of the data.

Use it to either warn people, or help get things
fixed if at all possible.

Q: Louis Lee, Equinix, want to find out if they've
looked to see if the top10 prefixes are in the global
routing table when the queries come in?

Doesn't know how to measure truly private internal use; if
you have ideas, let him know.

Make official requests to companies who operate networks along
with assurances of confidentiality. Include the NDA that you
are willing to sign along with your request. Try to find a legal
contact for each company and submit the requests to them as well
as to IP addressing folks and engineering/ops folks.

Note that "companies who operate networks" does not include
"network operators". A second approach that is more likely
to get results, but less likely to answer the whys and
wherefores, is to go to "network operators" who are in
the VPN or private lines business and ask them for stats
on what address ranges (and how many instances) their
customers use on private IP networks. Probably need the
same NDA and approach to legal contacts.

I know of a nonISP that has three separate non-overlapping
and non-connected private IP networks which use 1/8 addresses.
I know of a company that uses 1/8 through 8/8 on private
IP networks. I know of a company that chose to use 126/8
addresses because it seemed that 126/8 would be the last
IP block for RIRs to allocate. Then big cable companies
started running out of 10/8 space...

I've even seen an ISP using a /24 carved out of 196/8 in
their internal network management systems. I wasn't able
to find out if that started life as a typo of 192.168.?.?
and I can't remember the exact /24 range.

I've received SPAM reports for a former customer who connected
in 1994, received a /24, disconnected in 1996 but kept using
that /24 internally behind NATs. One day a bright salesperson
decided to SPAM some advertising. Since the SPAM content matched
this former customer's business, I chased it up and discovered
the reason why our address range was in the mail headers.
Is it possible to measure this? Maybe sniffing ISP nameserver
traffic to identify matching A and PTR queries where the PTR
name is clearly located in a different address range?

2/8, 1/8, 23/8, 5/8, 100/8 is there at #5, which is odd.

Odd? It's a round number which probably means that more
than one person has picked it when they needed to make
up an IP address.

next /8's they *were* going to give ARIN were 100/101, they
decided to NOT give it out to figure out why there's so many
hits on it in this round.

It would be good to find out why people have these kinds of
DNS leaks. Hopefully it will turn out to be configuration
errors which can be addressed through best practices.
Even when the space becomes allocated, people will continue
to use these blocks and this can be expected to become even
more common when IPv4 nears exhaustion.

--Michael Dillon

Just FYI:

Leo's email address is

<leo.vegoda@icann.org>

Regards,
-drc

It would be interesting to know how much of this space is really used for something more or less permanent, and how much is just random noise. For instance, I do a training course where people need to configure routers, and I use addresses out of 96.0.0.0/8 for that, because it has to be clear that we're talking about real addresses and not RFC 1918 stuff. Although this doesn't interact with the real internet, often, people end up having real addresses and also 96.0.0.0/8 addresses on their laptops so they probably generate some DNS queries for the 96 range.

Would it be useful for IANA to publish the order in which they're going to allocate /8s? That way, it's easier for people to plan getting out of the way of real deployment in time.

For instance, I do a training course where people need to configure routers, and I use addresses out of 96.0.0.0/8 for that, because it has to be clear that we're talking about real addresses and not RFC 1918 stuff.

Do you think you could consider some of the rfc3330 ranges like TEST-NET - 192.0.2.0/24 - or if you need more than one network, 191.255.0.0/16 ?

Would it be useful for IANA to publish the order in which they're going to allocate /8s? That way, it's easier for people to plan getting out of the way of real deployment in time.

Well it's a pretty safe bet that most of today's unused /8s will be allocated within the next couple of years !

Best wishes,
Andy

How come RFC 1918 addresses aren't real enough?

Because they look like RFC 1918 addresses.

For instance, I do a training course where people need to configure routers, and I use addresses out of 96.0.0.0/8 for that, because it has to be clear that we're talking about real addresses and not RFC 1918 stuff.

Do you think you could consider some of the rfc3330 ranges like TEST-NET - 192.0.2.0/24 - or if you need more than one network, 191.255.0.0/16 ?

Nothing is impossible, but shoehorning stuff into a small range doesn't make for a realistic training setup.

Would it be useful for IANA to publish the order in which they're going to allocate /8s? That way, it's easier for people to plan getting out of the way of real deployment in time.

Well it's a pretty safe bet that most of today's unused /8s will be allocated within the next couple of years !

That's true. (Well, it's more like three years: there are currently 41 /8s available and last year, 14 were allocated to the RIRs.)

I guess that means that people who want to use "off-label" address space should probably use the legacy /8s that are assigned but don't show up in the routing table.

I know of at least one large telecom provider which is using 100/8. In my opinion,
this should not be a reason to delay the use of these addresses for a legitimate
purpose. Rewarding address squatting simply isn't a good thing.

Owen

No one is attempting to reward address squatting.

The main reasons for this work are to try and quantify the scale and
distribution of the problem. I hope that with some more data and a fuller
analysis we will find that there isn't anything major to worry about.

But if the problem is significant, I'd like to be able to pre-warn people so
that they can take prepare themselves for it. That might mean doing simple
things like tweaking technical support and fault finding procedures,
possibly something else.

Regards,

Leo

[...]

Would it be useful for IANA to publish the order in which they're
going to allocate /8s? That way, it's easier for people to plan
getting out of the way of real deployment in time.

We have been discussing something along these lines. The exact method for
selecting the order in which /8s should be allocated hasn't been decided
yet, though.

Regards,

Leo