RE: 69/8...this sucks

Frank_Scalzo · March 10, 2003, 10:41pm

Do you really think that people who don't have enough clue to update
their filters are going to be able to figure out why they can't reach
content in 69/8?

Moving all root-servers WOULD fix the problem. Although I doubt anyone
is really going to be willing to make the news by causing that much of
an outage.

What we can REALISTICALLY accomplish is to lean on the people who
publish books/web pages/templates/etc. to include big scary warnings
about using bogon filters and outline WHY they should be careful. I bet
for example we could get Rob Thomas to update his templates to include
scarier warnings like don't do this unless you intend to keep current on
new allocations if you don't know what that means skip this section (I
noticed there is something in the IOS template that says be "VERY"
careful). The warnings should be explicit, and scream don't do this
unless you understand it. Personally I have always thought overzealous
bogon filtering can be dangerous in the wrong hands and thus avoided it.
I don't even trust myself to keep current let alone someone who may pick
up a generic firewall book off the shelf and then think they are an
expert.

E.B_Dreger · March 10, 2003, 11:07pm

Date: Mon, 10 Mar 2003 17:41:56 -0500
From: Frank Scalzo

What we can REALISTICALLY accomplish is to lean on the people
who publish books/web pages/templates/etc. to include big
scary warnings about using bogon filters and outline WHY they

And all the existing books, webpages, and "set-and-forget"
configs...

Eddy

Rabbi_Rob_Thomas · March 10, 2003, 11:20pm

Hi, NANOGers.

] I bet for example we could get Rob Thomas to update his templates to
] include scarier warnings...

For the right amount of coffee, I just might. Seriously, I'm all for
it. Here is what I have on the Bogon List page:

   NOTE WELL! IANA allocations change over time, so please check
   back regularly to ensure you have the latest filters. I do
   announce updates to my templates in the FIRST community, as
   well as on lists such as NANOG, isp-routing, isp-security,
   isp-bgp, and cisco-nsp. I can not stress this point strongly
   enough - these allocations change, as often as every four
   months. If you do not adjust your filters, you will be unable
   to access perhaps large portions of the Internet. You have
   been warned!

I don't know how much it helps, but it's there. I don't mind including
it in all of the templates, monitoring, and bogon data feeds.

Thanks,
Rob.

E.B_Dreger · March 10, 2003, 11:22pm

Date: Mon, 10 Mar 2003 17:41:56 -0500
From: Frank Scalzo

Moving all root-servers WOULD fix the problem. Although I
doubt anyone is really going to be willing to make the news
by causing that much of an outage.

I'm eager to see stats indicating how large the problem is. If
the problem is this severe, it seems all the more wrong to let
innocent third parties suffer due to what IP space was bestowed
upon them.

If the roots and gTLDs are truly unwilling to help, and a handful
of entities can't cooperate, I have serious concerns why they
have been handed responsibility for such a critical piece of
infrastructure. I'd expect "it's too hard to be a good netizen"
whining on other lists... but NANOG? Roots and TLDs?

Perhaps this is an omen of the Internet yet to come. Oh joy.

Eddy

Stephen_Sprunk3 · March 11, 2003, 6:03pm

Thus spake "E.B. Dreger" <eddy+public+spam@noc.everquick.net>

If the roots and gTLDs are truly unwilling to help, and a handful
of entities can't cooperate, I have serious concerns why they
have been handed responsibility for such a critical piece of
infrastructure. I'd expect "it's too hard to be a good netizen"
whining on other lists... but NANOG? Roots and TLDs?

Perhaps this is an omen of the Internet yet to come. Oh joy.

Come on, you're asking the root and/or TLD operators to renumber their
servers -- not a trivial task -- every few months to intentionally disable
their own service for what amounts to an academic experience.

These folks are in the business of running a critical system that requires
100% uptime for hundreds of millions of users, and they do a damned good
job. Let them do it in peace, and find some other "must have" service (like
porn) to put in 69/8.

S

Stephen Sprunk "God does not play dice." --Albert Einstein
CCIE #3723 "God is an inveterate gambler, and He throws the
K5SSS dice at every possible opportunity." --Stephen Hawking

Jon_Lewis1 · March 11, 2003, 6:51pm

Come on, you're asking the root and/or TLD operators to renumber their
servers -- not a trivial task -- every few months to intentionally disable
their own service for what amounts to an academic experience.

Not for academic experience, but to encourage people to fix their broken
filters. And while renumbering a large network might be non-trivial,
changing the IP or adding an IP alias on 13 individual servers should be
a trivial operation.

These folks are in the business of running a critical system that requires
100% uptime for hundreds of millions of users, and they do a damned good
job. Let them do it in peace, and find some other "must have" service (like
porn) to put in 69/8.

100% uptime for the service, not for each individual server.

So now the 69/8 holders, in addition to driving a campaign to get others
to fix their networks, should offer free hosting to porn sites? How about
free hosting for spamvertized sites?...oh wait, that might make the
problem worse