69/8...this sucks -- Centralizing filtering..

Joe Boyce jboyce at shasta.com
Mon Mar 10 18:56:55 UTC 2003



Monday, March 10, 2003, 9:52:06 AM, you wrote:

jlo> I think the only way that's relatively guaranteed to be effective is to
jlo> move a critical resource (like the gtld-servers) into new IP blocks when 
jlo> previously reserved blocks are assigned to RIR's.

I agree with you.  But then since I've been allocated 69/8 I guess you
can say I'm a bit biased.

jlo> I still have a couple hundred thousand IPs to check (I'm going to step up
jlo> the pace and see if I can get through the list today), but I already have
jlo> a list of several hundred IPs in networks that ignore 69/8.  The list
jlo> includes such networks as NASA, the US DoD, and networks in China, Russia,
jlo> and Poland.  Those are just a few that I've done manual whois's for.

jlo> I haven't decided yet whether I'll send automated messages to all the 
jlo> broken networks and give them time to respond and fix their filters, or 
jlo> just post them all to NANOG when the list is complete.

jlo> Are people interested in seeing the full list (at least the ones I find)
jlo> of networks that filter 69/8?

Again, since I've been recently allocated in the 69/8 range, I'd love
to see this completed list.

We've only renumbered our internal workstations into this range, so
no customer nets are affected as of yet.  But we are about to plunge
into our renumbering, so I'm sure customers are going to start yelling
then.

However, I think this is going to be an on-going problem, even if the
gtld-servers were renumbered into 69/8.

Do a simple Google search on ip firewalling.  You'll find lots of
examples using ipchains, iptables, etc, that show example configs.
These example configs usually show 69/8 as a bogon network and
recommends filtering them.

So, in my opinion it's only going to be a matter of time before some
network administrator looking to implement a firewall stumbles across
one of these broken sample configs and breaks connectivity to me
again.

In essence, it's going to be an ongoing problem, sure we can fix
networks now that we know are broken, but it's going to be an ongoing
problem that we are going to have to deal with.

Regards,

Joe Boyce
---
InterStar, Inc. - Shasta.com Internet
Phone: +1 (530) 224-6866 x105
Email: jboyce at shasta.com




More information about the NANOG mailing list