BCP38 making it work, solving problems

Paul Vixie vixie at vix.com
Wed Oct 13 16:48:36 UTC 2004


> Some medium-big (and up) operators implement 'RFC-1918 source' filters on 
> their gateways to the 'external internet', ...

maybe so.  but i want to renew an old complaint, with updated numbers:

   # ipfw show
   ...
   00400   57623404    3927757977 deny ip from 10.0.0.0/8 to any in
   00500  139309999   11937839356 deny ip from 172.16.0.0/12 to any in
   00600   35860354    2414549719 deny ip from 192.168.0.0/16 to any in
   00700 6041138223  399700558975 pipe 1 udp from any to any dst-port 53 in
   00800   29757298    1264366050 pipe 2 tcp from any to any dst-port 53 in
   ...

those are rule#, packets, octets, and rule.  on this f-root server which
is one of about 50 although its routing placement causes it to hear more
requests, usually, than most of the others, we see that since last reboot:

   233M packets (18G octets) came from an RFC1918 source
   6G packets (401G octets) came from non-RFC1918 sources

i think it's fair to say that filtering RFC1918 source addresses on egress
toward "the core" is not all that common.  although i'm happy to report that
both AOL and SBC now do it, and the above numbers havn't gotten as much worse
as i expected they would in the time since my last complaint.

   # tcpdump -n -s 0 -c 10 udp port 53 and \
        src net \( 10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 \)
   ...
   16:45:06.164258 192.168.0.1.1030 > 192.5.5.241.53:  \
	12540 A? x1.w00pie.nl. (30)
   16:45:06.181960 172.16.160.2.53 > 192.5.5.241.53:  \
        7929 A? NPIFF12B7.k12.nj.us. (37)
   16:45:06.182641 10.8.1.16.1051 > 192.5.5.241.53:  \
        15860 [1au] PTR? 98.239.71.156.in-addr.arpa. (55)
   16:45:06.320755 192.168.230.161.1041 > 192.5.5.241.53:  \
        3026 A? rsthost3.ods.org.cncc.com. (43)
   16:45:06.339133 172.20.0.13.53 > 192.5.5.241.53:  \
        27425 A? infopak.gov.pk. (32)
   16:45:06.378595 10.1.100.51.53 > 192.5.5.241.53:  3217 A? PC00000737. (28)
   16:45:06.394286 10.8.1.11.53 > 192.5.5.241.53:  8457 A? www.office.ac. (31)
   16:45:06.394933 10.8.1.11.53 > 192.5.5.241.53:  6422 A? www.office.ac. (31)
   16:45:06.395310 10.8.1.11.53 > 192.5.5.241.53:  288 A? www.office.ac. (31)
   16:45:06.395803 10.8.1.11.53 > 192.5.5.241.53:  246 A? www.office.ac. (31)
   ...

i've been wondering if it would be possible to track down these sources by
looking at the query-names.  i've also been wondering if ISC should have a
peering agreement requiring peers to implement BCP38.
-- 
Paul Vixie



More information about the NANOG mailing list