We were recently assigned a 72.244/16 allocation from ARIN. Friendly reminder that ARIN started allocating 72/8 since Aug. If you have a static bogon filters, can you please make sure they are updated. Thank You
Sincerely,
Ka Lun Chan (KC)
COVAD Communications
We were recently assigned a 72.244/16 allocation from ARIN. Friendly
reminder that ARIN started allocating 72/8 since Aug. If you have a
static bogon filters, can you please make sure they are updated. Thank
if you are really worried about this, and i can understand your
being so, then make it easy for the busy folk here (not those
pontificating on law and morals in the rocky mountains) to test.
give us an address we can ping.
randy
UUNET has a customer (several probably, just one 'vocal') with this same
problem 
We are investigating getting a /32 from their space for use as
a 'proxy test' box similar to Mr. Lewis's 69/8 box was... If there is some
interest once we have it in place we could probably say: "ip BLAH" and
permit folks, in some controlled manner, to use it for browser testing of
sites?
We were recently assigned a 72.244/16 allocation from ARIN. Friendly
reminder that ARIN started allocating 72/8 since Aug. If you have a
static bogon filters, can you please make sure they are updated. Thankif you are really worried about this, and i can understand your
being so, then make it easy for the busy folk here (not those
pontificating on law and morals in the rocky mountains) to test.
give us an address we can ping.
a bit more coffee made me realize that what might best occur would
be for the rir, some weeks BEFORE assigning from a new block issued
by the iana, put up a pingable for that space and announce it on
the lists so we can all test BEFORE someone uses space from that
block.
randy
Randy Bush wrote:
a bit more coffee made me realize that what might best occur would
be for the rir, some weeks BEFORE assigning from a new block issued
by the iana, put up a pingable for that space and announce it on
the lists so we can all test BEFORE someone uses space from that
block.
Or maybe people should actually have systems to look at what hits their filters and from where and look at the summaries once a month or so?
Pete
a bit more coffee made me realize that what might best occur would
be for the rir, some weeks BEFORE assigning from a new block issued
by the iana, put up a pingable for that space and announce it on
the lists so we can all test BEFORE someone uses space from that
block.Or maybe people should actually have systems to look at what hits their
filters and from where and look at the summaries once a month or so?
that is what happens now. and it takes months for maria to be able
to get to the entire net.
randy
So, it's probably a multifaceted problem:
1) acls (router)
2) firewalls (host)
3) route acceptance (routers)
Some can be audited 'easily' some are 'set and forget' (or forgot )
Ping might just be dropped to destinations, before any idea of 'ip space'
filters (think www.sun.com filters). You really have to test with the
protocols your main user base might be using (http/https).
-Chris
Hmmm.. or, if the RIRs are going to advertize the block anyway between IANA
issue and space assignment (which would appear to be a necessary
precondition for what you suggest to work), why not ping "a large
collection of targets" using the new block, and various other IP addresses
as source addresses, and see which addresses responded from the old
block(s), but not from the new block. Sort by AS, and that would give you a
list (correct to heuristic level) of AS's that need to update their filters.
Then stick it on a web page.
RIPE could (for instance) generate it's "large collection of targets" using
a tiny sample of host-count data. (clearly RIPE needs to ping addresses
from all RIRs, ditto ARIN, APNIC etc.)
Alex
a bit more coffee made me realize that what might best occur would
be for the rir, some weeks BEFORE assigning from a new block issued
by the iana, put up a pingable for that space and announce it on
the lists so we can all test BEFORE someone uses space from that
block.
ARIN meeting happens in Orlando in about 1 month
from now. There is at least one open mike session
on the agenda and there is also a new policy workshop
if folks think that this practice needs to be made
into a formal policy.
Also, on the ARIN website at http://www.arin.net/about_us/ab_org_bot.html
you can find contact info for the Board of Trustees.
These are the people who can decide that something
makes perfect sense and instruct staff to just do it
without going through the process of changing policies.
Seems to me that this idea falls into the "just do it"
category, i.e. it's operational best practice.
So if you want this feature, tell ARIN about it!
--Michael Dillon
P.S. there is an upcoming RIPE meeting in Stockholm
at the end of May. As above, tell them that this
is important for them to be doing.
a bit more coffee made me realize that what might best occur would
be for the rir, some weeks BEFORE assigning from a new block issued
by the iana, put up a pingable for that space and announce it on
the lists so we can all test BEFORE someone uses space from that
block.
Based on what I've seen in last 2 years for all new IANA allocations to RIR, the assignments from the ip blocks do not happen on day one and in fact it takes RIR about 2-3 months before they start using that ip block.
During that first couple months RIR makes announcements about the ip
block (and we can possibly ask them to make additional announcement
around week prior to when ip block first allocation is expected to
be made) and some RIRs like RIPE use those 2 months to check reachability
of the ips within the block.
One of the problems for North America though is that ARIN does not seem
to want to get involved in the operation aspects and so it does not
do quite as much as for example RIPE.
a bit more coffee made me realize that what might best occur would
be for the rir, some weeks BEFORE assigning from a new block issued
by the iana, put up a pingable for that space and announce it on
the lists so we can all test BEFORE someone uses space from that
block.ARIN meeting happens in Orlando in about 1 month
from now. There is at least one open mike session
on the agenda and there is also a new policy workshop
if folks think that this practice needs to be made
into a formal policy.
it doesn't. it's not policy. it's a simple ops hack. let's
not see how complex we can make it or how much bureaucrazy we
can wrap around it.
it seems that even bureaucrazy ripe managed to do it without
holding policy discussions; see henk's posting.
randy
it seems that even bureaucrazy ripe managed to do it without
holding policy discussions; see henk's posting.
I believe that RIPE does these things BECAUSE it is
more bureaucratic than ARIN. As a result, RIPE staff
feel more empowered to do sensible projects outside of
the policy process.
In any case, it is not important how the message
gets communicated to ARIN. What is important is for
network operators to *TELL* ARIN what they need ARIN
to do. One way to talk to ARIN is through the public
meetings and another way is to email one of the
trustees.
--Michael Dillon
In any case, it is not important how the message
gets communicated to ARIN. What is important is for
network operators to *TELL* ARIN what they need ARIN
to do. One way to talk to ARIN is through the public
meetings and another way is to email one of the
trustees.
and one is to send an email to arin's external relations or ops
folk, which i did a while ago. i suspect they also read this
list. you can now return to pontificating on law and morals in
a mostly rural western us state, always a productive activity
for ops folk.
randy
is arin the problem here? or are 'lazy'/'dumb'/'mistaken'/'poorly
informed' admins the problem?
Lazy/misguided/ex admins / downsized networks are the problem. ARIN is in
a unique position to be able to do something to at least try to mitigate
the problem without too much effort before handing "damaged IP space" out
to members. The current situation frustrates those who don't know what to
do, and encourages them to look elsewhere for the IP space they need.
> In any case, it is not important how the message
> gets communicated to ARIN. What is important is for
> network operators to *TELL* ARIN what they need ARINis arin the problem here? or are 'lazy'/'dumb'/'mistaken'/'poorly
informed' admins the problem?
ARIN is not part of the problem, but ARIN *IS* part
of the solution.
If ARIN was really a functional organization, i.e. driven
by its members, then we wouldn't even be talking about this
here. It would have been done long ago.
However, ARIN today is a very dysfunctional organization.
Most ARIN members seem to view ARIN as a distant regulatory
agency to whom they must regularly burn incense and make
sacrifices in order for the ARIN gods to bestow IP addresses
upon the unworthy network operator. The result is that there
is little participation by ARIN members in monitoring and
governing ARIN. And therefore, ARIN does what it has always
done without changing or innovating.
Is this bad? Yes, it is bad that so many ARIN members
remain at arms length. It is bad that so many ARIN members
do not understand ARIN and do not drive ARIN towards better
meeting the needs of the IP network operations industry.
It is bad that so many network operators fear ARIN and think
that ARIN carries a big stick like the FCC. The fault is not
with the people involved in ARIN; the fault is with the majority
of IP network operators who do not get involved with ARIN.
--Michael Dillon
I think it's important to remember the "lazy/dumb/mistaken/poorly informed" folk alluded to above are NOT the ones receiving IP address space, but people elsewhere in (and all over) the world.
ARIN does not provide any statement of suitability of the address space for any purpose. That's nice for the lawyers, but pretty useless from a customer satisfaction and network operations standpoint.
The idea of ARIN temporarily lighting address space in any new block, and providing a test target is reasonable, relatively inexpensive and sensible.
Paying members of ARIN are today negativelty impacted by receiving assignments that remain in filters. It clearly makes little sense for those receiving address space to each have to expend significant time and effort to turn the address space into usable space. As such, the paying customers & members should consider requesting this be a function that could be best handled centrally by ARIN.
is arin the problem here? or are 'lazy'/'dumb'/'mistaken'/'poorly
informed' admins the problem?Lazy/misguided/ex admins / downsized networks are the problem.
if aol is not worried enough to tell us an address to ping, perhaps
you can see why we prospective pingers are not getting our undies
in a knot. and, to carry it a step further, one might then infer
why arin has not seen it as a priority. i suspect this discussion
will change the latter. dunno what will change the former.
ARIN is in a unique position to be able to do something to at
least try to mitigate the problem without too much effort before
handing "damaged IP space" out to members.
damaged? so you will do your bit to undamage unused ip space by
not bogon filtering on your network?
randy
>
> >
> > > In any case, it is not important how the message
> > > gets communicated to ARIN. What is important is for
> > > network operators to *TELL* ARIN what they need ARIN
> >
> > is arin the problem here? or are 'lazy'/'dumb'/'mistaken'/'poorly
> > informed' admins the problem?
>
>Lazy/misguided/ex admins / downsized networks are the problem. ARIN is in
>a unique position to be able to do something to at least try to mitigate
>the problem without too much effort before handing "damaged IP space" out
>to members. The current situation frustrates those who don't know what to
>do, and encourages them to look elsewhere for the IP space they need.I think it's important to remember the "lazy/dumb/mistaken/poorly informed"
folk alluded to above are NOT the ones receiving IP address space, but
people elsewhere in (and all over) the world.
of course, I should have been more clear, sorry 
The idea of ARIN temporarily lighting address space in any new block, and
providing a test target is reasonable, relatively inexpensive and sensible.
this requires the above lazy/dumb/mistaken/poorly-informed masses to want
to hit the targets as well, eh?
Paying members of ARIN are today negativelty impacted by receiving
assignments that remain in filters. It clearly makes little sense for those
receiving address space to each have to expend significant time and effort
to turn the address space into usable space. As such, the paying customers
& members should consider requesting this be a function that could be best
handled centrally by ARIN.
I think I'm unclear how having arin/ripe/apnic/iana/god put up
pingable/http-able/ftp-able ips from 'new' blocks is going to help, when
the problem is at the far-end, and the 'user' or 'admin' there is one of
the: "lazy/dumb/mistaken/poorly-informed" who already doesn't care enough
to keep their filters up to date. Additionally, there is still the
distinction between firewall/acl blocks and 'route filter' blocks. They
may have the same effect in the end, but the target for who might have to
repair that problem is likely different.
-Chris
I don't do bogon filtering. I do take a bogon route feed from team cymru,
but that won't stop me from reaching any announced subnets within "bogon
space"[1]. And cymru has been pretty good about keeping up with the
changes wrt what's a bogon and what's not.
What I will do, next time we get space from ARIN (which I suspect isn't
too far off) is setup 72box (or whatever /8 they're allocating from now)
and repeat the exercise I did with 69/8 space so I have some idea where
the idiot networks are (and try contacting them) before we start using or
assigning IP's from that space.
[1] at least not until cisco adds a feature allowing you to ignore new BGP
routes for subnets of a bogon feed.