Draft client notice for 69/8 problems

• Previous message (by thread): Re 7/8 - was Re: 69/8 revisited
• Next message (by thread): NJ: Red alert? Stay home, await word
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Nanog:

Below is a draft of a letter that we will be sending to clients who
experience 69.0.0.0/8 connectivity problems. I am making it available to
help those ISPs that are confronted by clients with connectivity issues
due to assigning them 69.0.0.0/8 addresses. It can be adapted to suit an
ISP's specific needs.

I welcome commments and advice. (I know I'm gonna hate myself for saying
that around here ;^)

Matt

__________________________ http://www.invision.net/ _______________________

 Matthew E. Martini, PE        InVision.com, Inc.   (631) 543-1000 x104
 Chief Technology Officer      matt at invision.net    (631) 864-8896 Fax
_______________________________________________________________________pgp_




_______________________________________________________________________

               NOTICE REGUARDING NETWORK REACHABLITY
_______________________________________________________________________

Dear Customer:

This document discusses problems connecting to/from your site over the
Internet due to outdated filtering by your ISP or IT Department. It will
give a high level explanation of the problem and offer a solution. It
will then discuss the issue in detail at a technical level sufficient
for network administrators to fix the problem.

<ISP_NAME>'s Customer Service will work with you to help your ISP/IT
Department resolve these issues. You can contact us at
tech-support@<ISP.COM> or (555) 555-5555 x555.


<YOUR_NAME>
<YOUR_TITLE>
<ISP_NAME>


Problem Description
___________________

Certain computers cannot reach and/or be reached by other computers on
the Internet. Symptoms of this would be the inability to go to certain
web sites, or the inability to send/receive email from certain sites.

The cause of this is outdated IP filters on routers and/or firewalls.
These filters are put into place by network administrators to prevent
malicious use of unallocated IP addresses. However, the list of
allocated addresses changes over time and so the filters must be updated
to avoid blocking legitimate, albeit newly valid IP addresses.

Every few months a new block of IP addresses are released by the IP
registries to ISPs and then in turn to end users. The IP block
69.0.0.0/8 was allocated to ARIN as a usable block in August 2002.
Before this time these addresses were unallocated and invalid for use on
the Internet.  Network administrators before this time may have filtered
this block of IPs, along with all of the other unallocated blocks, in
their routers and firewalls.  If these filters were not updated since
August 2002, they would improperly filter traffic to and from these
addresses and thus cause the connectivity problems you are experiencing.


Recommended Solution
____________________

The solution is rather a simple one. All that has to be done is to
update these router and firewall filters to allow the 69.0.0.0/8 block
of addresses. This is usually a matter of a fairly simple configuration
change that can be accomplished by your Network Administrators, IT
Department, or ISP.

Finding the correct person to implement these changes can be somewhat
more challenging than the problem itself. <ISP> Customer Service can
help you track down the place where the filtering is taking place. It
may be taking place at your ISP's boundary, or a corporate firewall.
Once the place is identified you can then have the responsible party
make the changes. Once again <ISP> will be there to explain the
technical details of this issue.

Please let us know if we can assist in any way to help you fix this
problem.


Action Items for Network Administrators and ISPs
_______________________________________________

Please update your BGP ingress filters and firewall rules to allow
69.0.0.0/8 routes and traffic as these addresses became valid IPs
allocated by ARIN in August 2002.

Please contact tech-support@<ISP.COM> for assistance.


Detailed Explanation
____________________

The Internet Assigned Numbers Authority (IANA) allocates Internet
Protocol version 4 (IPv4) address space to Registries including ARIN,
RIPE, and APNIC. These registries in turn allocate address space to ISPs
who in-turn allocate addresses for end-users. This is documented in RFC
1466. See: http://www.iana.org/assignments/ipv4-address-space

All of the addresses that are not allocated by the above process should
never appear in the Internet routing table. These unallocated addresses
are dubbed "Bogons". A packet routed over the public Internet should
never have a source address in a bogon range. These are commonly found
as the source addresses of DDoS attacks.

As such a network administrator may filter these IP addresses from their
routing tables and block them from entering their network via firewall
rules. This behavior is actually encouraged because it helps to limit
Denial of Service attacks.

However, these filters must be kept up to date to avoid filtering newly
released and valid IPs. The IANA allocations change fairly often,
sometimes in as little as every four months. Administrators who elect
to engage in strict filtering must be prepared to follow the IANA
allocation changes and update their filters regularly. Mailing lists
such as NANOG, isp-bgp, isp-routing as well as
http://www.cymru.com/Bogons are good places to look for announcements
of changes.

http://www.cymru.com/Bogons is also an excellent reference which
explains bogon filters, shows how to find the latest lists, and
educates network administrators on how to subscribe to appropriate
announcement lists to become aware of updates/changes in what IPs can
be safely filtered.

Here is a brief look at the more recent changes:

Address
Block   Date     Registry - Purpose                  Notes or Reference
-----   ------   ---------------------------         ------------------

063/8   Apr 97   ARIN                                (whois.arin.net)
064/8   Jul 99   ARIN                                (whois.arin.net)
065/8   Jul 00   ARIN                                (whois.arin.net)
066/8   Jul 00   ARIN                                (whois.arin.net)
067/8   May 01   ARIN                                (whois.arin.net)
068/8   Jun 01   ARIN                                (whois.arin.net)
069/8   Aug 02   ARIN                                (whois.arin.net)

080/8   Apr 01   RIPE NCC                            (whois.ripe.net)
081/8   Apr 01   RIPE NCC                            (whois.ripe.net)
082/8   Nov 02   RIPE NCC                            (whois.ripe.net)

220/8   Dec 01   APNIC                               (whois.apnic.net)
221/8   Jul 02   APNIC                               (whois.apnic.net)
222/8   Feb 03   APNIC                               (whois.apnic.net)
223/8   Feb 03   APNIC                               (whois.apnic.net)


Those administrators who feel that maintaining their filters regularly
is too difficult, or those organizations who don't have an IT department
can setup filtering for just DUSA addresses. These are routes that
should NOT be routed on the Internet. They include RFC 1918, "Martian"
networks, 127.0.0.0/8, and multicast blocks. These are fully detailed in
Bill Mannin's document:

    ftp://ftp.ietf.org/internet-drafts/draft-manning-dsua-08.txt

Along with filtering your own IPs from ingress and allowing only your
assigned IPs at egress this filtering set is the minimum that all ISPs
and corporations should use. It has the benefit that it is fairly static
and requires much less maintenance.

Again, please contact tech-support@<ISP.COM> for assistance in updating
your filters.

• Previous message (by thread): Re 7/8 - was Re: 69/8 revisited
• Next message (by thread): NJ: Red alert? Stay home, await word
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]