Atlantic.Net has just joined the 69/8 club of ARIN members with
assignments in this IP block that's apparently in numerous outdated bogon
filters. As I posted I'd do earlier if given space from this block, I've
written some code to check reachability to a large number of remote IPs
from 2 source IPs...one in one of our older ARIN blocks, one in the new 69
block.
I'm feeding this code a very large list of known mail server IPs, and
having it ping each IP...only it'll ignore /24's once reachability from
both the old and new IPs has been established to an IP in that /24.
It's only just getting started on the list, but I've already found dozens
of networks that appear to be problems. I've hand confirmed a couple and
sent off emails to the ARIN contacts. It looks like there are going to be
so many networks to notify, I'll have to write some more code to automate
these emails.
What have others in this situation done?
Are you actually assigning 69/8 IP's to unsuspecting customers and hoping
they won't notice parts of the internet ignoring them?
According to ARIN's whois server, there are 95 subdelegations for
NET-69-0-0-0-0...we're the 95th.
I don't know if ARIN has other "less tainted" IP space to give out, but
something ought to be said/asked about this at the next meeting. I
realize ARIN can't guarantee global routability of IP space, but should
they continue to give out IP blocks they absolutely know are not fully
routable on the internet today?
My proposal to help with it is: http://www.arin.net/policy/2003_7.html
Language isn't the best of my skills by you get an idea anyway. And if
you're coming to Memphis, feel free to say something there on this topic.
Atlantic.Net has just joined the 69/8 club of ARIN members with
assignments in this IP block that's apparently in numerous outdated bogon
filters. As I posted I'd do earlier if given space from this block, I've
written some code to check reachability to a large number of remote IPs
from 2 source IPs...one in one of our older ARIN blocks, one in the new 69
block.
Welcome. I'm glad to see you on board. Perhaps some of these issues will get
resolved for us smaller /18 assignments.
What have others in this situation done?
Are you actually assigning 69/8 IP's to unsuspecting customers and hoping
they won't notice parts of the internet ignoring them?
Oh, the customers notice them, and each report is handled as brought to our
attention. It's a large net, so we haven't bothered with probing at this
junction. I get about 1-3 reports a month from my customers that are due to
filters. A few of the lists themselves are out of date, evidenced by
networks that were previously working suddenly breaking by applying a new
BOGON list. Most cases are smaller networks that are often unaware that they
run such filtering. Some don't even know what it is.
I didn't have a choice on giving the space to customers. My old IP addresses
were being recalled and I get what ARIN gives me. In another month 60%+ of
my network will be within the 69/8 and I'll have to request more space which
will most likely be from the same block (the last I checked, my /18 could
expand to a /17). As far as I'm concerned, the quicker the space is assigned
and utilized, the more people we'll have spotting and contacting networks
that have bad filters.
I don't know if ARIN has other "less tainted" IP space to give out, but
something ought to be said/asked about this at the next meeting. I
realize ARIN can't guarantee global routability of IP space, but should
they continue to give out IP blocks they absolutely know are not fully
routable on the internet today?
In defense of ARIN, the ice on a net block has to be broken at some point.
They could wait 3 years and notify every list every hour of every day for
those 3 years and there would still be many networks filtering those
networks. The only way to catch it is to notice the block and make contact
with the network. In many cases, personal contact is necessary as emails are
often misunderstood or ignored.
Jack Bates
BrightNet Oklahoma
I repeat my suggestion that a number of DNS root-servers or gtld-servers
be renumbered into 69/8 space. If the DNS "breaks" for these neglected
networks, I suspect they will quickly get enough clue to fix their ACLs.
Add Eddy's suggestion that the addresses all end in .0 or .255 and you
have a fine machine for cleaning up a few old, irritating problems.
Nice idea in principal (from a purist point of view) but its not practical, I
hope your not serious..!
Steve
Moving a number of them won't do anything. Broken networks would just use
the ones they can reach. Moving the root-servers isn't a good option
anyway since lots of Bind setups are distributed with a . hints file
containing A records for the root-servers, and these hints files are
updated probably less frequently than bogon filters.
Since the root-servers have been reduced to refering queries to the
gtld-servers and nstld servers and perhaps others, these latter servers
would be the ones to move that would cause no pain for networks that work,
and immediate notification and motivation to fix filters for networks with
outdated filters.
I don't suppose there's even a slim chance of this happening?
Date: 10 Mar 2003 15:23:52 -0500
From: Jeff S Wheeler
I repeat my suggestion that a number of DNS root-servers or
gtld-servers be renumbered into 69/8 space. If the DNS
"breaks" for these neglected networks, I suspect they will
quickly get enough clue to fix their ACLs.
Add Eddy's suggestion that the addresses all end in .0 or
.255 and you have a fine machine for cleaning up a few old,
irritating problems.
I suggest a rotation like so:
Jan-Apr: 69.w.w.0
Apr-Jul: 69.x.x.255
Jul-Oct: 70.y.y.0
Oct-Jan: 70.z.z.255
where the middle two octets are predetermined ahead of time.
IIRC, some RFC recommends updating the root zone cache monthly...
following this would ensure one had proper root/gTLD addresses.
The above also would break DNS for broken networks for a two
month stretch... long enough to flush out bad rules.
Eddy
You want to move things like gtld servers,
yahoo/google (and other 'important' things), including
things like oscar.toc.aol.com into these.
This will leave the clueless to buy a clue and
stimulate the economy 
- jared
This wouldn't actually accomplish what you're trying to do. The resolvers
that couldn't reach those root and/or TLD servers that are behind the
'broken' networks would simply shift their traffic to the ones that they
could reach. The only thing you'd accomplish by this is an increased load
on the root/TLD servers that are in their normal locations.
Doug
Date: Mon, 10 Mar 2003 13:00:15 -0800 (PST)
From: Doug Barton
This wouldn't actually accomplish what you're trying to do.
No?
The resolvers that couldn't reach those root and/or TLD
servers that are behind the 'broken' networks would simply
shift their traffic to the ones that they could reach. The
And which would those reachable ones be?
only thing you'd accomplish by this is an increased load
on the root/TLD servers that are in their normal locations.
B: 69.22.233.255
C: 69.87.152.255
: : :
M: 69.255.254.255
The suggestion is to move ALL root, and as many TLD as possible,
servers into the new space. Nobody has said "move one or two",
which indeed would be ineffective.
Eddy
Stephen J. Wilcox wrote:
I repeat my suggestion that a number of DNS root-servers or gtld-servers
be renumbered into 69/8 space. If the DNS "breaks" for these neglected
networks, I suspect they will quickly get enough clue to fix their ACLs.
Nice idea in principal (from a purist point of view) but its not practical, I hope your not serious..!
How about making *temporary* allocations to content providers
who vounteer to move some/all content to net-69? Use an initial
page on your regular net to alert users to "contact their
ISP and have them fix their bogon filter if the below link
doesn't work." If done right, it might speed up the clean-up.
The only problem would be finding volunteers with sufficient
traffic who are willing to break their site.
I could do this on some of my sites. They're not Ebay, but
they do get hit from about 40K unique IP's per day, with
a very global distribution. If ARIN is interested, contact
me privately.
KL
Ah, sorry, I wasn't aware of the full extent of your crack-smoking-ness.
You'll never get all of the root server operators to agree on this (or
much of anything), so that leaves the root out (even if this were a good
idea, which it isn't). Since for sufficiently useful definitions of "all,"
all of the TLD's are commercial entities, you'll never get them to
volunteer to break their own domains, and their customers would riot if
they did.
Suffice it to say, this idea is never going to happen, although if it
takes energy away from the "ldap is the solution to all problems" thread,
feel free to keep discussing it.
Doug
Date: Mon, 10 Mar 2003 13:58:20 -0800 (PST)
From: Doug Barton
Ah, sorry, I wasn't aware of the full extent of your
crack-smoking-ness. You'll never get all of the root
server operators to agree on this (or much of anything), so
I'm sorry, I'm having trouble grepping my mailbox. Can you post
a link to the NANOG archives where you mentioned your superior
solution and what exactly is wrong with the idea?
*plonk*
Eddy
You want to move things like gtld servers,
yahoo/google (and other 'important' things), including
things like oscar.toc.aol.com into these.
No, if you really want to stir things up, start an article on slashdot,
let the posters whip themselves into a frenzy, then move slashdot into the
ghetto space the next day. It's cruel, but it sure would be fun.
And you might even convince the slashdot people to do it.
C
Does anyone have any idea of the processing overhead that would be placed on
a Cisco 7507 if you applied bogon and anti-spoof filters on a 100BT
interface that faced the Internet, assuming VIP4-80 engines and 256Mb of
memory?
Simon Brilus
Internet and Operations Manager
Bulldog Communications Ltd.
www.bulldogdsl.com
So, you cant get people to fix bogons but you can get them all to fix their dns
cache files overnight. I dont think so.
And you want to push all the critical servers into a narrow set of IPs, that
surely must have some implications for DoS more so than a well spread out set.
I dont think your being realistic here and thinking thro properly..
Steve
Does anyone have any idea of the processing overhead that would be placed
on
a Cisco 7507 if you applied bogon and anti-spoof filters on a 100BT
interface that faced the Internet, assuming VIP4-80 engines and 256Mb of
memory?
It's not too bad. If it will support everything else you are doing, as it
isn't as versatile, the VIP8 (or was it 6; no coffee yet) is primarily
designed to handle complex access lists, or so an SE once told me. It didn't
handle the other functionality I needed, so i stayed with the 4.
-Jack