It has recently come to our attention that many Internet routers are still
filtering out IP addresses in the 69.0.0.0/8 range. If YOU are still
filtering this block in your router, please modify your filters accordingly.
Thank You
Date: Tue, 25 Feb 2003 14:09:26 -0800
From: "Hsu, Vicky"
It has recently come to our attention that many Internet
routers are still filtering out IP addresses in the
69.0.0.0/8 range. If YOU are still filtering this block in
Even after the NANOG thread months back? Yuck.
I _still_ like the idea of putting DNS roots in new IP blocks
during sunrise and having the final octet be .0 and/or .255. It
would be nice to catch dated bogon filters, lame attempts at
smurf stopping, _and_ stale root.cache in one blow.
I _still_ like the idea of putting DNS roots in new IP blocks
during sunrise and having the final octet be .0 and/or .255. It
would be nice to catch dated bogon filters, lame attempts at
smurf stopping, _and_ stale root.cache in one blow.
From an academic standpoint, that would be a very interesting experiment.
However, most of us are paid to keep our networks or services running, not
to intentionally break them.
S
Stephen Sprunk "God does not play dice." --Albert Einstein
CCIE #3723 "God is an inveterate gambler, and He throws the
K5SSS dice at every possible opportunity." --Stephen Hawking
The trouble is, some people are neglecting their jobs and making things
rough for others (the people getting new allocations).
Somebody with one of these new cursed allocations ought to setup a system
with two IPs (one from the new block, one from an older established block)
and do reachability tests to various parts of the net, and then automate
sending a notice of bogus filters to those ASNs reachable from the old IP,
but not from the new one.
If I end up with some of this space, I'll be doing this.
Somebody with one of these new cursed allocations ought to setup a system
with two IPs (one from the new block, one from an older established block)
and do reachability tests to various parts of the net, and then automate
sending a notice of bogus filters to those ASNs reachable from the old IP,
but not from the new one.
And how quickly would those ASN's respond to or even comprehend the
bogon-filter update notices? If those ASN's are competent and
quick-responsive ones, we should not even be having these prroblems to
begin with.
Date: Tue, 25 Feb 2003 19:46:53 -0600
From: Stephen Sprunk
(Props to whoever thought up what you put in the "To" field)
From an academic standpoint, that would be a very interesting
experiment. However, most of us are paid to keep our
networks or services running, not to intentionally break
them.
I see. So you advocate innocent 69/8 users suffering because you
don't want to cause pain for the lazy and inept? I'd rather see
the latter paying for their sins, not innocent third parties.
Note that my suggestions (credit to Jeff Wheeler for suggesting
roots in new IP allocations) would break NOTHING on a properly-
maintained network.
Let's put it this way: 69/8 evidently is still being filtered by
some, despite pleading and time. Things _will_ break. This
won't be the last time we encounter new allocations, either.
_Someone_ will feel pain.
Who do you feel should bear the brunt? How do you propose to
make it happen?
If the alternative is getting space, giving it to customers, and
explaining why they can't reach X, Y, and Z on their connection to us, but
they can on other internet connections, we're going to at least have to
try.
I like the idea of moving the gtld servers into such space. That way, the
networks that are at fault will break, and they'll be well motivated to
fix their filters.
If the alternative is getting space, giving it to customers, and
explaining why they can't reach X, Y, and Z on their connection to us, but
they can on other internet connections, we're going to at least have to
try.
True, but we'd have to try something that would be effective... Imagine
how many of those incompetent ASN's still have _outdated_ technical
contact email and phone numbers..
I like the idea of moving the gtld servers into such space. That way, the
networks that are at fault will break, and they'll be well motivated to
fix their filters.
I think this is the way to go. It will break the ASN's who do not properly
have updated filters. The only thing to be careful is a type of
consequence where some of _your_ customers may attempt to get to one of
the broken ASN's. DNS issue at the broken ASN's may cause few
minor-to-medium oddities that may cause more phone calls on your end.
Yes. This last weekend, the state network added a Bogon list to their
routers. Too bad the list they chose still had 69/8 in it. Not that I mind.
The complaint came from a customer who's multi-homed between us. I like it
when the competition makes foolish mistakes.
Outside of that instance, I get about 1 report every week or two of some
small business out there who's firewall was setup for them years ago, and
they had no clue what it was doing. I can forgive these guys, and it's
usually not too big of a problem. Then again, I'm glad I didn't get the
first blocks.
I _still_ like the idea of putting DNS roots in new IP blocks
during sunrise and having the final octet be .0 and/or .255. It
would be nice to catch dated bogon filters, lame attempts at
smurf stopping, _and_ stale root.cache in one blow.
I would agree with this, except that it would kill most of the people I've
contacted. Most of the people who are still filtering aren't even aware of
it. If we broke them, they'd have hell trying to fix it. I get a lot of
"uhhhhh. bogon? huh?". Large networks don't have an excuse, but I pity the
small mom and pop shop that hardly even understand what a firewall is.