69/8...this sucks

• Previous message (by thread): 69/8...this sucks
• Next message (by thread): 69/8...this sucks
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Look, there's no quick fix solution here.  It's going to take real
effort and real work.  However, the _REASON_ all those pages reference
sample bogon filters is because there isn't a global bogon filter
that is dynamically updated available.  If there was, and people were
aware of it, they'd use it.  (At least a significant percentage would).

As such, is a BGP feed a panacea?  No.  Is it a step in the right direction?
Yes.  Will it solve the problem by itself?  No.  Will it improve the 
situation?
Yes.  Moving the root servers into that space may expidite solving the 
problem,
but at a _VERY_ significant cost.  Moving the GTLD servers might make a 
little
more sense (at least then, you aren't requireing _EVERYONE_ to update their
hint files), but I still don't think that's a good idea.

Others have suggested that it needs to be available in LDAP.  Some have
suggested DNS.  As far as I'm concerned, the same servers or some group
of servers could easily be set up to publish the authoritative BOGON list
via DNS, BGP, LDAP, HTTP(XML), FTP, and possibly other protocols.
Getting bogged down in the protocol isn't helpful.  Finding a way to make
an authoritative global BOGON list (Note: BOGONS are the 
UNALLOCATED/UNASSIGNED/
RESERVED/INVALID _LARGE_ blocks, _NOT_ every little hole in the allocation
space) that is dynamically updated _IS_ the most practical solution for the
long haul.

Renumbering multiple global resources every time an RIR starts issuing from 
a
new /8 isn't feasible.

Publishing the data over the net is.

Owen


--On Tuesday, March 11, 2003 10:06 AM -0800 Joe Boyce <jboyce at shasta.com> 
wrote:

>
>
>
> Monday, March 10, 2003, 7:44:43 PM, you wrote:
>
> H> Well... I am pretty sure Tier1 backbones are up-to-date on the bogon
> H> filters :-)
> H> As we've already discussed, it's really the smaller networks with
> outdated H> bogons or with admins who don't know what they are doing..
>
> Bingo.  No silly bgp feed will fix this problem.  The problem is
> all of the small customer networks that have been setup where the
> admin at the time installed a slick firewall using what was then
> current information and then walked away.
>
> I only see three ways to deal with this issue:
>
> 1.  Contact each customer net that we find that is filtering on
> outdated information.  I'm sure only the operators that have been
> assigned 69/8 space will start doing this (and have), since we are in
> fact responding to customer complaints.  This process should be
> complete in say, oh, ten years or so.  That should give us enough time
> to track them all down.
>
> Oh while we are at that, we might want to contact every operator of
> websites that are displaying "sample" firewalls using ipchains,
> iptables or ipfw that show 69/8 as a bogon network.  We'll need to get
> them to change those webpages to show correct information.  I mean,
> why have that information out there so some other clueless admin can
> simply start a fresh problem for us.  I figure a couple of years to
> fix this too.
>
> 2.  Find a way to break all of those customers networks that filter
> 69/8 so that the response time to fix it is much less than the time
> to contact each and every operator.  The only way to do that is to
> move something like the root servers into this space.  Yes it's crazy
> but it's the only way to break smaller networks.  But once joe sixpack
> wonders why he can't get to Yahoo this morning and calls his
> consultant, the problem would be resolved a lot faster than it will
> take us to track them down and do option 1.
>
> 3.  Have us 69/8 address assignees simply live with the problem and
> stop complaining in forums such as this.  We're the ones dealing with
> the end user complaints about lost connectivity to sites once we've
> renumbering a link into this range.  This goes back to option number
> 1, we'll simply bite the bullet and live with the problem and fix them
> as we find them.
>
> I'll admit, I run a small network and was quite happy to receive my
> first ARIN assignment some months ago.  I wasn't so happy to find out
> that once I renumbered our internal office workstations into this
> range I had complaints from other employees about sites they could not
> reach (starting with *.ca.gov).  I haven't even put one customer net
> into this new range yet and I've already reacted to a couple of dozen
> problems that less than 20 employees have found.  I'm honestly scared
> to death about renumbering all of my customers now.
>
> H> I think we are just going around the circle/preaching to the choir on
> the H> same topic here.. Is this like what... 3rd time we are discussing
> H> this whole 69/8 issue :-D? Really, someone needs to get out this 69/8
> H> issue on the press.. Just a thought.. heh
>
> I had an email sent to me from a writer from circleid.com (Joe
> Baptista) back in late December regarding this issue when the problem
> first popped up on Nanog.  As far as I can remember he was going to
> write up an article on this situation.  I have no idea what became of
> that.
>
> Regards,
>
> Joe Boyce
> ---
> InterStar, Inc. - Shasta.com Internet
> Phone: +1 (530) 224-6866 x105
> Email: jboyce at shasta.com
>

• Previous message (by thread): 69/8...this sucks
• Next message (by thread): 69/8...this sucks
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]