Bogon list

Why treat exchange subnets differently to any other bit of backbone
infrastructure?

Oh, I wholeheartedly agree. I would love them all to use RFC 1918
addresses, because it is VERY VERY VERY rare that anything outside
the scope in which the 1918 local use addresses are unique actually
has to communicate with backbone infrastructure of any type.

What communication can your workstation have with an XYZNET router?
Can you log into it? Can you talk SMTP to it? How about SNMP?
Oh, I know - you can start up a BGP session with it from your desk, right?

In short, ping & traceroute are about the only interaction anyone
will ever have with a router that is not under their control,
excepting error messages (which is the usual way at least traceroute works),
and it is NOT WORTH THE ADDRESS CONSUMPTION just to facilitate this.

Regrettably, IP sux in the confusing of "where" and "what", so
the only way to know who sent you the error ICMP datagram except
by the source address. ICMP types that let one encode a handy URL
or maybe some text explaining the error and its source would be cool,
and if this is regularized, then there's no point in having
global address space consumed by things which are only ever going
to have interactive sessions with local hosts, and you get to keep
your end-to-end diagnostic regime of incredibly useful, reliable
and intuitive tools like traceroute and ping.

In the absence of new ICMP messages (which really have to be rolled out
"everywhere"), redirecting the attention spent on inducing and interpreting
them to an in-the-network tool for diagnosing the condition of a LOCAL
set of infrastructure is something I think is quite practical.

Perhaps a tiny chunk of address space with useful IN-ADDR.ARPA
messages would be a good start.

: unix ; traceroute abc.defxyz.net
symbolic-name (217.31.0.1) 1 ms 1 ms 1 ms
symbolic-name.your.provider.net (217.31.10.2) 5 ms 5 ms 5 ms
please-see.http.www.smartprovider.net (223.255.255.1) 50 ms 50 ms 50 ms
please-see.http.www.smartprovider.net (223.255.255.1) 60 ms 60 ms 60 ms
please-see.http.www.smartprovider.net (223.255.255.1) 65 ms 65 ms 65 ms
please-see.http.www.smartprovider.net (223.255.255.1) 70 ms 70 ms 70 ms
please-see.http.www.smartprovider.net (223.255.255.1) 75 ms 75 ms 75 ms
please-see.http.www.otherprovider.net (223.255.255.2) 79 ms 80 ms 79 ms
please-see.http.www.otherprovider.net (223.255.255.2) 85 ms 82 ms 98 ms
...

(I was kinda thinking it might be fun for someone with some spare
address space to offer up a mapping of A.B.HI.LO with HI.LO being
the higher and lower order bytes of an AS number, although obviously
that's not necessary, and is going to be wasteful, since people like
Joe will think this is so abominable, that they won't have their ASes
do it )

Why number point-to-point links with even locally-unique addresses?

iBGP hack requires intra-domain connectivity to work, and may
sometimes require distinguished interface addresses; eBGP insists
on connectivity between peers in same logical subnet except when
you break that with intentional use of knobs.

SNMP hack requires interactive intra-domain connectivity to work.
SSH (and telnet disaster) requires interactive intra-domain connectivity
to work. Ping/traceroute/etc originating from route-server host(s)
require interactive intra-domain connectivity to work. All these
and more may benefit from discretely numbered interfaces.

These numbers may be 1918 addresses, or they be kept discreet.

You might think this is rather backwards and Victorian, like
hiding the legs of tables from prying eyes through the use of
extremely long tablecloths. However, there are people who
have had funny carpentry done, who might see this as a feature.

Slashdot readers wielding traceroute can make an annoying pain in the
side of your head, but traceroute and ping are not without their uses.

No functionality is broken - it's just you get ICMP messages
from things you probably cannot connect to in any meaningful way.
Big deal, that's what you have now, pace ping.

Ask people who are cursed with running poorly-documented X.25 networks
(surely there must be some left) how nice it would be to be able to map
the network in-band. Ask them why they don't have any hair left, while
you're at it.

MPLS cannot cause baldness. That lot all have thick and fuzzy hair, I think.

I'll stick with conventional theory and suggest it might be genes or razors.

(Are you gonna call NATs&6to4/faith X.75 gateways? Cool!)

You don't need to deal with the messy traceroute problem if your
consistent and clean architecture doesn't happen to make traceroute
mess

Right, stop replying to things which are obviously or even probably traceroutes.
No more traceroute mess.

No more idiotic firewall operators complaining about these damn unreachable
and exceeded messages.

I think I'm in favour, although I have to admit traceroute can be fun.

Did you ever see Louis Mamakos's toy?

  Sean.

[[ What's with the huge CC list everyone? Aren't we all subscribers? Do
y'all enjoy getting multiple copies of replies? I don't! ]]

[ On Tuesday, June 4, 2002 at 18:33:23 (-0700), Sean M. Doran wrote: ]

Subject: Re: Bogon list

> Why treat exchange subnets differently to any other bit of backbone
> infrastructure?

Oh, I wholeheartedly agree. I would love them all to use RFC 1918
addresses, because it is VERY VERY VERY rare that anything outside
the scope in which the 1918 local use addresses are unique actually
has to communicate with backbone infrastructure of any type.

"has to" and "can" in this context are two very different things.....

If everyone filtered source and destination bogons A.S.A.P.P.....

In short, ping & traceroute are about the only interaction anyone
will ever have with a router that is not under their control,
excepting error messages (which is the usual way at least traceroute works),
and it is NOT WORTH THE ADDRESS CONSUMPTION just to facilitate this.

I'm not so sure I agree (traceroute can be fun), _BUT_, if such routers
were to always use only one unique-to-themselves canonical routable
address in all valid error messages that they generate then there
wouldn't be such a problem. Providers would at the same time enjoy the
benefits of hiding all the niggling interface details while not borking
tools that the little guys a the edge have used to point the finger from
time immemorial....

Regrettably, IP sux in the confusing of "where" and "what", so
the only way to know who sent you the error ICMP datagram except
by the source address.

Indeed, but IIRC there's nothing which says a router has to emit error
replies using the source address of the interface the undeliverable
packet arrived on, is there? If a given router uses a single
unique-to-itself canonical globally routable source address for all ICMP
error replies it generates then the output of the likes of traceroute
and even ping will still be meaningful and useful. No important
information is lost, at least not from the point of view of everyone
_without_ a login on the router in question at least (and if you can
login to the router then I should hope you can figure out what interface
the undeliverable packets are arriving on without any external help!).

Isn't there even an IOS command to "make it so", or am I dreaming
visions of some as-yet unimplemented BSD-based router feature again?

[[ What's with the huge CC list everyone? Aren't we all subscribers? Do
y'all enjoy getting multiple copies of replies? I don't! ]]

:0 Wh: msgid.lock

Date: Tue, 4 Jun 2002 23:14:58 -0400 (EDT)
From: Greg A. Woods

If a given router uses a single unique-to-itself canonical
globally routable source address for all ICMP error replies
it generates then the output of the likes of traceroute and
even ping will still be meaningful and useful. No important
information is lost, at least not from the point of view of
everyone _without_ a login on the router in question at
least (and if you can login to the router then I should hope
you can figure out what interface the undeliverable packets
are arriving on without any external help!).

Sounds good to me.

Isn't there even an IOS command to "make it so", or am I
dreaming visions of some as-yet unimplemented BSD-based
router feature again?

I don't know of any existing sysctl, but it should be trivial to
add "net.inet.icmp.sourceforce" or something like that.

## On 2002-06-05 04:45 -0700 Randy Bush typed:

> [[ What's with the huge CC list everyone? Aren't we all subscribers? Do
> y'all enjoy getting multiple copies of replies? I don't! ]]

:0 Wh: msgid.lock
> formail -D 8192 msgid.cache

Randy,

Are you sure that:

  1) All NANOG subscribers recognize the above as a procmail rule ?

  2) That all NANOG subscribers read list E-mail on machines that have
procmail on them ?

[snip]

> :0 Wh: msgid.lock
> > formail -D 8192 msgid.cache

Randy,

Are you sure that:

  1) All NANOG subscribers recognize the above as a procmail rule ?

most of them, probably.

  2) That all NANOG subscribers read list E-mail on machines that have
procmail on them ?

So because it is not applicable in all situations, it's not worth mentioning?
Procmail works for a good share of those reading this list, I'd wager.

## On 2002-06-05 04:45 -0700 Randy Bush typed:

> :0 Wh: msgid.lock
> > formail -D 8192 msgid.cache

Randy,

Are you sure that:

  1) All NANOG subscribers recognize the above as a procmail rule ?

If they don't, they're probably in one.

  2) That all NANOG subscribers read list E-mail on machines that have
procmail on them ?

This is still (for some definition of still) a technical list, mainly
composed of network engineers (you know, the people who don't buy clothes
because their entire wardrobe is paid for by vendors, and who have a
statistically high chance of being fat, bald, bearded, and/or spotted at a
NANOG bar), and other people involved in "operating the internet".

As such, the posters are expected to have a certain level of common sense,
for example:
  * Knowing what procmail is and how to use it
  * Not posting in HTML
  * Not posting "where can I get a T1 in BF Egypt"
  * Not posting "everyone on the internet is down but me!"
etc.

Not to be mean to anyone, but if you're expecting something else, you
should probably look at one of the isp-* lists.

Although I asked awhile back if anyone knew anything about the new fiber
going into Ecuador and no replies, it seemed like a good question.

Richard,

Kindly explain how not knowing procmail (or Unix for that matter)
relates to configuring BGP/OSPF/Cisco IOS/JunOS
(Yes I know JunOS is based on FreeBSD -
but I doubt anyone runs an MTA or MUA on it ...

For Example:

I happen to know a senior technical consultant who went from reading his
Email on VM(IBM Mainframe) to reading it on his laptop with Eudora(POP3)
and couldn't(shouldn't?) care less whether what OS the MTA and POP3 server
run on

Said person happens to be (semi)regular poster on NANOG and I seriously
doubt he's made anyone's kill rule ...

  Also don't even get me started on *security* consultants that are forced
(by corporate policy) to read Email on MS OutLook from an Exchange server

3) Remember that for procmail to nuke the second copy, the second copy
has to arrive - I'm personally just a bit miffed at somebody who sent me
2 copies of a large file. Yes, procmail nuked the second one - *after*
I'd pulled several hundred K over a modem.

Richard,

Kindly explain how not knowing procmail (or Unix for that matter)
relates to configuring BGP/OSPF/Cisco IOS/JunOS
(Yes I know JunOS is based on FreeBSD -
but I doubt anyone runs an MTA or MUA on it ...

It's not a causal relationship, but more of an indirect one: those that tend
to have networking clue very frequently also possess UNIX clue. Which is what
I (and I suspect Richard) was driving at ...

[snip]

  Also don't even get me started on *security* consultants that are forced
(by corporate policy) to read Email on MS OutLook from an Exchange server

The MUA someone may have to use has nothing to do with whether or not that
person possesses experience with UNIX and standard UNIX utilities.

[ On Wednesday, June 5, 2002 at 23:22:38 (-0400), Valdis.Kletnieks@vt.edu wrote: ]

Subject: Re: OT: Re: Bogon list

3) Remember that for procmail to nuke the second copy, the second copy
has to arrive - I'm personally just a bit miffed at somebody who sent me
2 copies of a large file. Yes, procmail nuked the second one - *after*
I'd pulled several hundred K over a modem.

Indeed. That was my original point. I don't want to _receive_ two
copies of any messages, especially not those that are also forwarded via
any mailing list. I do what I can to ensure things work the way I
desire for replies to my posts, and I'm surprised more people don't do
what I do as well.