At this time I am receiving a ton of bogus routes originating from AS701. This
AS has hijacked all the /24 subnets of 128.1 through 128.1xx. Since the more
specific route prevails in the cidr world they have managed to wipe out my
network 128.9.0.0 not to mention a hundred other 128.x networks.
This is not good.
The third hand story I got from their hotline was that a core route crashed
causing other core routers to crash. This doesn't explain anything to me.
Are they using Ascend Giga routers in their core?
Walt Prue
At this time I am receiving a ton of bogus routes originating from AS701.
This
AS has hijacked all the /24 subnets of 128.1 through 128.1xx. Since the more
specific route prevails in the cidr world they have managed to wipe out my
network 128.9.0.0 not to mention a hundred other 128.x networks.
Isn't this the kind of problems that the Doran filters are supposed to prevent?
I understand that it is not to everyone's benefit to filter on the /19
boundary like Sprint does but it seems to be prudent to adopt a /8 filter
on most of the old class A space and a /16 filter on the old class B space.
Other than the need to update these filters as the former class A space is
subdivided I can see no major downside.
Comments?
And networks that 1) do prefix filtering of peers, or 2) have the satanic
phylters in place didn't even notice yesterday's snafu.
-dorian
Isn't this the kind of problems that the Doran filters are supposed
to prevent?
Yes.
I understand that it is not to everyone's benefit to filter on the
/19 boundary like Sprint does but it seems to be prudent to adopt a
/8 filter on most of the old class A space and a /16 filter on the
old class B space. Other than the need to update these filters as
the former class A space is subdivided I can see no major downside.
I for one am going to implement such filters ASAP, and I hope others
will do the same...
It might be a good idea for providers to put up web pages on their
policy for accepting external announcements, for reference purposes.
Alec
Proper PRDB based filters would have stemmed this too. Why isn't everyone
using them these days?
At this time I am receiving a ton of bogus routes originating from AS701.
This
AS has hijacked all the /24 subnets of 128.1 through 128.1xx. Since the
more
specific route prevails in the cidr world they have managed to wipe out my
network 128.9.0.0 not to mention a hundred other 128.x networks.
Isn't this the kind of problems that the Doran filters are supposed to
prevent?
I understand that it is not to everyone's benefit to filter on the /19
boundary like Sprint does but it seems to be prudent to adopt a /8 filter
on most of the old class A space and a /16 filter on the old class B space.
Other than the need to update these filters as the former class A space is
subdivided I can see no major downside.
Comments?
What about the cable providers that have chunks of 24/8?
-Steve
62/8, 63/8 and 64/8 are being assigned now.
So you just relax the filters according to what's being assigned.
-dorian
... but it seems to be prudent to adopt a /8 filter
on most of the old class A space and a /16 filter on the old class B space.
Other than the need to update these filters as the former class A space is
subdivided I can see no major downside.
What about the cable providers that have chunks of 24/8?
That's one of the reasons that I said "most of" the old Class A space. And
since there will be continued carving up of blocks in the Class A space
those filters will need to be revisited from time to time.
"Alec H. Peterson" <ahp@hilander.com> writes:
It might be a good idea for providers to put up web pages on their
policy for accepting external announcements, for reference purposes.
At the same time you should augment your current filtering
policies with a list of prices for punching holes through them.
Sean.
I installed the ACL Sean posted back in December of '95, updated by
changes he posted in June of '96. Is that list still reasonable?
I'm pretty sure that is the version that filters >=207 at /19 (instead
of /18 which is where he initially put the filter). However, keep in
mind that the registries have been allocating space out of old class A
space, which all versions of his filter I've seen _will_ block. So,
depending on your policy you would want to add:
access-list xxx permit ip 62.0.0.0 0.255.255.255 0.0.0.0 255.255.255.0
Do that for 24/8, 62/8 and any other blocks that the IANA has released
to a registry (I think Dorian mentioned 63/8 and 64/8 as well). Of
course, if you want to filter on /19 then your mask will be a little
different.
Of course, one can just do what Randy suggested and filter all class A
space at /19 and be done with it.
Alec
(I think Dorian mentioned 63/8 and 64/8 as well).
61/8, not 64/8. APNIC will be starting to allocate out of 61/8
RSN, so if you want to modify your filters, note that APNIC will _not_ be
allocating anything longer than a /18 (not even /19s). I believe RIPE has
a similar policy on 62/8, but I'm sure they'll correct me if I'm wrong.
Regards,
-drc
"Dorian R. Kim" <dorian@blackrose.org> writes:
[...]
62/8, 63/8 and 64/8 are being assigned now.
So you just relax the filters according to what's being assigned.
So is there any good way of hearing about these new assignments as
they are made so we could adjust our filters before people complain?
[...]
62/8, 63/8 and 64/8 are being assigned now.
So you just relax the filters according to what's being assigned.
So is there any good way of hearing about these new assignments as
they are made so we could adjust our filters before people complain?
I wonder whether IANA could post an announcement to this list whenever a
block from the former class A space is given out for carving up.
why not just be lazy and filter A space on /19? and B space on /16 to /19
depending on your religion? and then folk with no real work to do can have
fun religious wars over what to do in C space.
randy
This tends to suggest that our 199.79.160.0/24 annoucement will
fall on deaf ears in some religious backbones. 
-blast
Whoops. Typing with fever is bad.
That last comment I made about the 199.79.160 is in the C range
to please hit delete.
Back to bed for me,
-blast