was bogon filters, now "Brief Segue on 1918"
bpfankuch at cpgreeley.com
Wed Aug 6 08:39:20 CDT 2008
Where I work we are more aimed towards the SMB market, and we do run into that issue a lot. Of course a lot of the problem we run into is that the "engineers" who set up these SMB clients, even getting into some of the larger businesses just use what they always do. I can think of one specific engineer who everything he does is 192.168.1.0/24 .254 gateway .1 server which has cause issues. We have one particular client who has nearly 40 VPN's between partners and they have actually had to do a lot of natting at the vpn endpoint as they have 3 clients they connect to that are 10.0.1.0/24 and several that are 192.168.0.0/24 however a lot of the newer VPN firewalls that we work with actually do a pretty slick job. SonicWall NSA series devices have a "NAT VPN range" checkbox when you build the VPN and you just give it the range to use, as do the Fortinet devices.
From: Darden, Patrick S. [mailto:darden at armc.org]
Sent: Wednesday, August 06, 2008 7:26 AM
To: nanog at nanog.org
Subject: was bogon filters, now "Brief Segue on 1918"
Was looking over 1918 again, and for the record I have only run into one
network that follows:
"If two (or more) organizations follow the address allocation
specified in this document and then later wish to establish IP
connectivity with each other, then there is a risk that address
uniqueness would be violated. To minimize the risk it is strongly
recommended that an organization using private IP addresses choose
*randomly* from the reserved pool of private addresses, when
sub-blocks for its internal allocation."
I added the asterisks.
Most private networks start at the bottom and work up: 192.168.0.X++,
10.0.0.X++, etc. This makes
any internetworking (ptp, vpn, etc.) ridiculously difficult. I've seen
a lot of hack jobs
using NAT to get around this. Ugly.
From: Darden, Patrick S.
Sent: Wednesday, August 06, 2008 9:19 AM
To: 'Leo Bicknell'; nanog at nanog.org
Subject: RE: Is it time to abandon bogon prefix filters?
Yes. 1918 (10/8, 172.16/12, 192.168/16), D, E, reflective (outgoing
mirroring), and as always individual discretion.
From: Leo Bicknell [mailto:bicknell at ufp.org]
Sent: Wednesday, August 06, 2008 9:10 AM
To: nanog at nanog.org
Subject: Is it time to abandon bogon prefix filters?
"Bogon" filters made a lot of sense when most of the Internet was
bogons. Back when 5% of the IP space was allocated blocking the
other 95% was an extremely useful endevour. However, by the same
logic as we get to 80-90% used, blocking the 20-10% unused is
reaching diminishing returns; and at the same time the rate in which
new blocks are allocated continues to increase causing more and
more frequent updates.
Have bogon filters outlived their use? Is it time to recommend people
go to a simpler bogon filter (e.g. no 1918, Class D, Class E) that
doesn't need to be updated as frequently?
Leo Bicknell - bicknell at ufp.org - CCIE 3440
PGP keys at http://www.ufp.org/~bicknell/
More information about the NANOG