Operational Issues with 69.0.0.0/8...

My question is as follows - We are losing customers because of this
problem. It is costing us reputation and money. It is out of our
control. If you were us, what would you do? We have already asked ARIN
to reassign us to a "friendlier" CIDR, and they refuse.

This is no longer a technical operational issue so it is out of scope for
this mailing list.

But if you think that ARIN could do something to solve your problem then
you should raise the issue on the ARIN public policy mailing list. You can
find subscription information for that list here http://www.arin.net/mailing_lists/index.html

-- Michael Dillon

ARIN don't guarantee routability of the blocks they allocate, and it's difficult to see how they ever could.

Perhaps this is an issue of community education, or one of needing better tools or methods for managing martian filters. Those issues are arguably both technical and operational.

Joe

short term fix if its costing you would be to get an assigment from another
LIR's allocation.. and hold of the 69/8 for a while..

now how much can i sell you a /20 for ;p

<Putting on my hat as ARIN AC Chair>

Thus spake "Alec H. Peterson" <ahp@hilander.com>

<Putting on my hat as ARIN AC Chair>
I see this as purely an operational issue.

ARIN explicitly does not guarantee routability of prefixes it assigns.

This is a case of ARIN knowingly assigning unusable space to customers.
There's a huge difference there.

If service providers choose to filter ARIN allocations, then that is an
operational decision. I really don't see what action you expect ARIN to
take along these lines.

Assign him some temporarly space in a usable block while he tries to get the
offending ASs to fix their filters, and stop assigning out of 69/8 until it
actually works. This isn't rocket science.

S

So for the sake of argument, in your proposal an ISP could filter all of the blocks that the RIRs allocate out of and hamstring them indefinitely?

Alec

So for the sake of argument, in your proposal an ISP could filter all of
the blocks that the RIRs allocate out of and hamstring them indefinitely?

    Perhaps not, but an X month period after the inital allocation to the
RIR where they don't assign out of that pool might be wise. Perhaps e-mails
can be sent to the registered contacts of existing IP space upon initial
allocation, on the first of each month, and then on the last day of the
hold.

    I know that I am sometimes a bit too busy to take care of something like
that at the very instant I get the e-mail, and that it can fall to the
wayside. Many times a reminder e-mail has come at a moment where I was able
do to something about it.

Thanks,

Adam "Tauvix" Debus
Linux Certified Professional, Linux Certified Administrator #447641
Network Administrator, ReachONE Internet
adam@reachone.com

IMHO - The RIRs are doing their part. They announce to the operations
aliases their intention to allocate a new block before they start doing
it. People like me (with the ingress-prefix-template), Rob Thomas (with
the bogon template), and Steve Gill (with the Junos flavor of the
ingress-prefix-template) start tweaking our templates and post them to
the community.

After that, it would be up to each operations team to execute within
their own network.

Sorry, which operational aliases did the RIRs announce before they started
allocating addreses?

ARIN announced the fact that it received the 69/8 delegation on August 8th. ARIN received the delegation on August 6th. ARIN made its first allocation/assignment (I don't know which it was, but that isn't important) out of that block on September 19th.

So, that's over 1 month that people had to fix their filters. We're in December now, and clearly some people still haven't updated their filters.

Do people have any suggestions for ARIN (and other RIRs) on how they can better dissemenate this information so that people will update their filters?

Alec

Sorry, the announcement was made on NANOG.

Alec

Force ISPs to register with the gov't and do
IRR built packet and routing filters.

  Distribute the data quarterly on a LERG-like CD
for startups to use and keep the people who can't keep
their routers up-to-date off the net.

  - jared

(if you can't tell i'm joking ...)

If you're going to filter, it is your job to keep the filters updated, not
ARIN's. Nor is it ARIN's job to move your blocks around every time some
idiot doesn't accept it, or after you manage to get it blacklisted, or
whatever. They need to allocate more space from 69 so anyone still
filtering it wonders why they can't get to their latest porn site (no
pun intended) and fix it.

Is it honestly that much work to send an email, "psst you're still
filtering 69/8, stop it" whenever you run into that situation? Why don't
we all go bug Rob Thomas for a bogon update mailing list, and stop pissing
and moaning on this one.

Well, to increase chance of reachability of blocks immediately after RIRs
start making assignments, RIRs should request new assignments from IANA
well ahead of exhaustion of currently-held blocks.

Possibly, considering that ARIN and RIPE run through 1 /8 a year, a
"spare" /8 should be allocated to them (and filter-making folks
dropping filtering).

Smaller registries (APNIC, LACNIC), under this proposal, would request a
/8 when their current /8 is 50% full.

This should reduce frequency of required filter updates to once a year or
less.

-alex

People depend on ARIN's IP assignments being widely routable. When 2
different ARIN clients pay the same amount of money for leasing an IP
block, the "goods" they receive should be of the same quality.

ARIN clients should have the ability to exchange defective "goods". It
seems ARIN won't do this. And posting to NANOG or similar lists doesn't
seem to fix the problem. Sooner or later someone's going to decide to let
the lawyers deal with it. I don't think ARIN's resources should be wasted
in the courts.

This type of problem is likely to spur interest in more regional
registries. There's been talk of CIRA seting up a Canadian IP
registry. This has been handled by ARIN took over the work UofT was doing
years ago.

-Ralph

ARIN can't change (or even detect) who's filtering what. They likely have
no way of knowing in advance if any IP block is filtered anywhere. How
many places need to block your IP before you declare the IP bad? Should
ARIN announce and test connectivity with some standard suite before giving
each allocation? Should the end-user be given some trial period during
which they can do this? What happens when ARIN runs out of IPs that don't
appear to be filtered by any recognized network?

This is an unfortunate pitfall that goes along with portable IP space and
BGP. When I got the company's first ARIN block at a previous employer
(back in the late 90s), we ran into issues with several large/well known
networks ignoring our BGP route. Some were fixed just by doing the RADB
thing. Some had to be emailed or phone called before they fixed their
filters.

This isn't a new problem, and there's no magic solution ARIN can
execute...at least not that anyone's come up with so far.

...wondering when we'll hear from Dalph on the matter.

You are under the delusion tht ARIN is selling goods. If they were, we'd
all have something to complain about. ARIN is selling you 5 bytes, a
couple records for contact info, a whois server, a template processing
system which takes 3 days to work, and meetings in tropical locations (for
$2500+, sounds fair right? :P).

Under this logic you would like them to sell you low ASNs because high
ones don't get much respect and are therefore defective? How about
refusing to take 3.1.33.7 because it got spoofed and/or packeted a lot?

ARIN should make a good faith effort to hand out registrations which are
going to be usable, but it is not their job to make sure noone else on the
internet dislikes your IP. Besides, the policies usually follow ARIN, not
the other way around. People design prefix length filters around the RIR
allocation sizes, not arbitrary numbers the expect the RIR's to follow.
People unfilter prefixes when they start getting allocated, not because
they feel like they should so ARIN can allocate from it.

Oh, Ok. I was wondering if IANA, ARIN, RIPE, APNIC had an announce-only
mailing alias for operational announcements. Rather than relying on
finding the messages in the middle of the NANOG stream of thought.

The RFC-Editor seems to have the process down for announcing new RFCs.

Date: Fri, 6 Dec 2002 16:30:28 -0500 (EST)
From: Ralph Doncaster

People depend on ARIN's IP assignments being widely routable.

As much as I get frustrated with ARIN, they don't have much
control in this situation.

Hang on. A guy with a badge that says "ARIN" is at the door; he
says he's making a surprise filter audit. I'll finish posting
later after he leaves...

Eddy

In a message written on Fri, Dec 06, 2002 at 01:44:15PM -0700, Alec H. Peterson wrote:

ARIN announced the fact that it received the 69/8 delegation on August 8th.
ARIN received the delegation on August 6th. ARIN made its first
allocation/assignment (I don't know which it was, but that isn't important)
out of that block on September 19th.

[snip]

Do people have any suggestions for ARIN (and other RIRs) on how they can
better dissemenate this information so that people will update their
filters?

* One month from filtered to first use is too short. Should be 6
  months, with multiple notices. To back this up I can point to
  a number of places that stopped all global changes from before
  thanksgiving to after christmas. (Not that I support such things.)

* Mailing nanog is nice, but ARIN probably should mail all the ARIN
  members, or particularly people with ASN's. Far too many people
  view the nanog mailing list as entertainment, rather than
  operational necessity.

* Space that goes from "reserved" to "in use" should be test routed
  first. Perhaps more of a job for ISI before they turn it over
  than ARIN. This allows people to make sure their changes actually
  worked.

* Maintain an RADB object of reserved space, so those with automated
  tools can easily query it.

* Perhaps offer a BGP feed (multi-hop, a-la RBL) of reserved space to
  ARIN members.

If I were in charge it would be:

1) Notify all ARIN members 6 months in advance of the block being used.
   At the same time, announce the block from somewhere so people can
   check that they do in fact hear it as they open up their filters.

2) Notify people 3 months, 1 month, and 1 week before making the first
   allocation.

3) Drop the supernet test on the same day of the first allocation.

4) Listen to feedback from the first few people allocated space
   and if it still is not properly routed send out another notice
   to people and possibly delay additional allocations from the
   block for another month.