Keyboard Shortcuts
Thread View
j: Next unread messagek: Previous unread messagej a: Jump to all threadsj l: Jump to MailingList overview
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
1/8 was allocated to APNIC this month, but as an LIR in the AP region (I'm a JPNIC member), I have some concerns regarding this.
1/8 has had many bogons in the past due to people copying example configs and putting them into the router, people using 1/8 as private space, etc. As an ISP that may request additional allocations, this is a concern for me. Ofcourse no /8 is ever clean, but 1/8 is at a point where it feels slightly uncomfortable to have the prefix.
Do others share my concern? If so, what could we do to do away with these concerns.
Regards, Seiichi
1/8 was allocated to APNIC this month, but as an LIR in the AP region (I'm a JPNIC member), I have some concerns regarding this.
1/8 has had many bogons in the past due to people copying example configs and putting them into the router, people using 1/8 as private space, etc. As an ISP that may request additional allocations, this is a concern for me. Ofcourse no /8 is ever clean, but 1/8 is at a point where it feels slightly uncomfortable to have the prefix.
Do others share my concern?
this will be of concern for at least two reasons
o people who have bogon filters in their routers and do not update them. the measurements olaf maennel and i did a few years back show that, even when we all shout on the ops' mailing lists, people do not change filters. many isps and end sites do not know they filter, and the filters were installed by someone who left the company before years ago.
we also did a toolset which aided in diagnosing where in the network topology such filters were, to the AS and router level. this tool has never been used or deployed by the rirs which are handing out the filtered space.
o as has been discussed on nanog and elsewhere, many foolish sites have used 1/8 as if it was rfc1918 private address space. this means they will need to renumber to be able to reach LIRs and end sites which get legitimate allocations out of the now allocated 1/8. they did something stupid, so they do not have my sympathy. i think we should put some really good content in the 1/8 space and let them whine to their upstream isp's noc.
randy
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hi Randy
thanks for your comments. fully agree to them, and I also have another reason to be concerned.
there is a higher chance of being hijacked with 1/8 then with others because of the naughty usage of the /8 in the past. I seriously doubt these people that misbehave check allocation status. There's more but I won't go on. For now, I cannot think of a good way to go about this. If we had RPKI now, this would be one less worry...
I think they are doing testing right now, but it would feel a bit more comfortable if APNIC handed out 1/8 after they've done with 27/8.
Any others that have suggestions?
Regards, Seiichi
Randy Bush wrote:
1/8 was allocated to APNIC this month, but as an LIR in the AP region (I'm a JPNIC member), I have some concerns regarding this.
1/8 has had many bogons in the past due to people copying example configs and putting them into the router, people using 1/8 as private space, etc. As an ISP that may request additional allocations, this is a concern for me. Ofcourse no /8 is ever clean, but 1/8 is at a point where it feels slightly uncomfortable to have the prefix.
Do others share my concern?
this will be of concern for at least two reasons
o people who have bogon filters in their routers and do not update them. the measurements olaf maennel and i did a few years back show that, even when we all shout on the ops' mailing lists, people do not change filters. many isps and end sites do not know they filter, and the filters were installed by someone who left the company before years ago.
we also did a toolset which aided in diagnosing where in the network topology such filters were, to the AS and router level. this tool has never been used or deployed by the rirs which are handing out the filtered space.o as has been discussed on nanog and elsewhere, many foolish sites have used 1/8 as if it was rfc1918 private address space. this means they will need to renumber to be able to reach LIRs and end sites which get legitimate allocations out of the now allocated 1/8. they did something stupid, so they do not have my sympathy. i think we should put some really good content in the 1/8 space and let them whine to their upstream isp's noc.
randy
This is a simple comment.
According to delegated-latest, APNIC is not using 182/8 allocated in Aug 2009. APNIC will start to use 1/8 and 27/8, after 182/8 is used up.
But I think that time is running out.
We should fix this misuing problem of 1/8. Why not gather comments and feedbacks in APRICOT 2010/APNIC 29?
Regards, Masataka MAWATARI
* On Mon, 25 Jan 2010 09:37:20 +0900 * Seiichi Kawamura kawamucho@mesh.ad.jp wrote:
Hi Randy
thanks for your comments. fully agree to them, and I also have another reason to be concerned.
there is a higher chance of being hijacked with 1/8 then with others because of the naughty usage of the /8 in the past. I seriously doubt these people that misbehave check allocation status. There's more but I won't go on. For now, I cannot think of a good way to go about this. If we had RPKI now, this would be one less worry...
I think they are doing testing right now, but it would feel a bit more comfortable if APNIC handed out 1/8 after they've done with 27/8.
Any others that have suggestions?
Regards, Seiichi
On Monday 25 January 2010 09:59:53 am MAWATARI Masataka wrote:
We should fix this misuing problem of 1/8. Why not gather comments and feedbacks in APRICOT 2010/APNIC 29?
This could actually be a good topic for discussion/presentation at the next APRICOT/APNIC meetings.
Cheers,
Mark.
Mark Tinka said the following on 25/01/10 12:01 :
On Monday 25 January 2010 09:59:53 am MAWATARI Masataka wrote:
We should fix this misuing problem of 1/8. Why not gather comments and feedbacks in APRICOT 2010/APNIC 29?
This could actually be a good topic for discussion/presentation at the next APRICOT/APNIC meetings.
I'd love someone to volunteer to put this together... We have a couple of free slots still in the routing session that is planned, and this would be perfect! :-)
Anyone?
philip --
Greetings Mark, Philip and all,
Thank you for responding.
We want to discuss what to do on this apops list right now. Before starting to use 1/8 block.. - recommending correct prefix filter. (esp, Transit SPs) - recognizing advertised prefixes in 1/8 block. - detecting bogon routes and noticing source ASN. - warning to AnoNet and WIANA. - anything else? please!
* Seiichi Kawamura kawamucho@mesh.ad.jp wrote:
I think they are doing testing right now, but it would feel a bit more comfortable if APNIC handed out 1/8 after they've done with 27/8.
I agree. I think that APNIC should start to use 1/8 after 27/8 is used up.
and, in case 1/8 block come into use. RIR/NIR allow to change allocation, if prefix allocating to xSP is very black (ex. 1.1.1.0).
Regards, Masataka MAWATARI
* On Tue, 26 Jan 2010 09:25:52 +1000 * Philip Smith pfs@cisco.com wrote:
Mark Tinka said the following on 25/01/10 12:01 :
On Monday 25 January 2010 09:59:53 am MAWATARI Masataka wrote:
We should fix this misuing problem of 1/8. Why not gather comments and feedbacks in APRICOT 2010/APNIC 29?
This could actually be a good topic for discussion/presentation at the next APRICOT/APNIC meetings.
I'd love someone to volunteer to put this together... We have a couple of free slots still in the routing session that is planned, and this would be perfect! :-)
Anyone?
philip
Hi Masataka-san,
MAWATARI Masataka said the following on 26/01/10 12:21 :
We want to discuss what to do on this apops list right now. Before starting to use 1/8 block..
- recommending correct prefix filter. (esp, Transit SPs)
Team Cymru usually send out a reminder to the various NOG lists worldwide - and those who use their bogon route-server service will be automatically "fixed". And Leo's announcement should have made some ISPs notice. Not enough though. :-(
- recognizing advertised prefixes in 1/8 block.
- detecting bogon routes and noticing source ASN.
APNIC do announce a few address blocks from their new allocation for a few months before it goes into service. This should give ISPs opportunity to check for reachability - it doesn't solve the problem of people who simply aren't paying any attention, but that's not unique to any particular address block. Given the situations where I've come across "static BGP filters installed by an integrator" which are left untouched, I can see problems with 1/8 as with every other block that is pressed into service.
- warning to AnoNet and WIANA.
- anything else? please!
Randy's two suggestions should be considered.
And yes, some really good content should be put up on a subblock from 1/8 - something no one can do with out.
Or someone requests a test allocation from 1/8 and tests some of the connectivity that it has, and publishes reachability to the average consumer's most popular destinations (whatever they are)?
No idea how to fix the 1.2.3.4/32 and 1.2.3.0/24 examples that still crop up in many many configuration documents though. :-(
philip --
Team Cymru usually send out a reminder to the various NOG lists worldwide - and those who use their bogon route-server service will be automatically "fixed". And Leo's announcement should have made some ISPs notice. Not enough though. :-(
our recent IMC shows measurements that the filters do not change for at least six months after email notice. we are considering re-running now, 18 months later.
in cooperation with apnic, we could also run the filter finder on pieces of 1/8.
randy
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Here's a different point of view.
What I'm thinking is,,,would I really want to assign 1.1.0.0/24 (or any prefix like 1.80.0.0/13 1.1.88.0/24 or whatever that has been abused by several ASes in the past few months) to my precious customer? I would say not for a while.
I would be more comfortable if 1/8 stayed in the debogon project for at least 6 months, and stayed there unhijacked for that period of time, until we started seeing them allocated.
Regards, Seiichi
Philip Smith wrote:
Hi Masataka-san,
MAWATARI Masataka said the following on 26/01/10 12:21 :
We want to discuss what to do on this apops list right now. Before starting to use 1/8 block..
- recommending correct prefix filter. (esp, Transit SPs)
Team Cymru usually send out a reminder to the various NOG lists worldwide - and those who use their bogon route-server service will be automatically "fixed". And Leo's announcement should have made some ISPs notice. Not enough though. :-(
- recognizing advertised prefixes in 1/8 block.
- detecting bogon routes and noticing source ASN.
APNIC do announce a few address blocks from their new allocation for a few months before it goes into service. This should give ISPs opportunity to check for reachability - it doesn't solve the problem of people who simply aren't paying any attention, but that's not unique to any particular address block. Given the situations where I've come across "static BGP filters installed by an integrator" which are left untouched, I can see problems with 1/8 as with every other block that is pressed into service.
- warning to AnoNet and WIANA.
- anything else? please!
Randy's two suggestions should be considered.
And yes, some really good content should be put up on a subblock from 1/8 - something no one can do with out.
Or someone requests a test allocation from 1/8 and tests some of the connectivity that it has, and publishes reachability to the average consumer's most popular destinations (whatever they are)?
No idea how to fix the 1.2.3.4/32 and 1.2.3.0/24 examples that still crop up in many many configuration documents though. :-(
philip
apops mailing list apops@apops.net http://mailman.apnic.net/mailman/listinfo/apops Website: www.apops.net
I would be more comfortable if 1/8 stayed in the debogon project for at least 6 months, and stayed there unhijacked for that period of time, until we started seeing them allocated.
again, our measurements showed that folk did not remove fikters over six months. so some more aggressive apprach may be needed.
randy
Dear all,
Or someone requests a test allocation from 1/8 and tests some of the connectivity that it has, and publishes reachability to the average consumer's most popular destinations (whatever they are)?
I think, it is more practical way than putting mandatory content in /8 which may be not agreed by the owner of such content.
Rgs, Masato
-----Original Message----- From: apops-bounces@apops.net [mailto:apops-bounces@apops.net] On Behalf Of Philip Smith Sent: Tuesday, January 26, 2010 4:42 PM To: MAWATARI Masataka Cc: apops@apops.net Subject: Re: [apops] 1/8
Hi Masataka-san,
MAWATARI Masataka said the following on 26/01/10 12:21 :
We want to discuss what to do on this apops list right now. Before starting to use 1/8 block..
- recommending correct prefix filter. (esp, Transit SPs)
Team Cymru usually send out a reminder to the various NOG lists worldwide - and those who use their bogon route-server service will be automatically "fixed". And Leo's announcement should have made some ISPs notice. Not enough though. :-(
- recognizing advertised prefixes in 1/8 block.
- detecting bogon routes and noticing source ASN.
APNIC do announce a few address blocks from their new allocation for a few months before it goes into service. This should give ISPs opportunity to check for reachability - it doesn't solve the problem of people who simply aren't paying any attention, but that's not unique to any particular address block. Given the situations where I've come across "static BGP filters installed by an integrator" which are left untouched, I can see problems with 1/8 as with every other block that is pressed into service.
- warning to AnoNet and WIANA.
- anything else? please!
Randy's two suggestions should be considered.
And yes, some really good content should be put up on a subblock from 1/8 - something no one can do with out.
Or someone requests a test allocation from 1/8 and tests some of the connectivity that it has, and publishes reachability to the average consumer's most popular destinations (whatever they are)?
No idea how to fix the 1.2.3.4/32 and 1.2.3.0/24 examples that still crop up in many many configuration documents though. :-(
philip
apops mailing list apops@apops.net http://mailman.apnic.net/mailman/listinfo/apops Website: www.apops.net
No idea how to fix the 1.2.3.4/32 and 1.2.3.0/24 examples that still crop up in many many configuration documents though. :-(
Let's request to decrease ranking in search engines for such harmful example. It cannot fix already misconfigured router, but it prevent newly misconfigured router.
Rgs, Masato Yamanishi
-----Original Message----- From: apops-bounces@apops.net [mailto:apops-bounces@apops.net] On Behalf Of Philip Smith Sent: Tuesday, January 26, 2010 4:42 PM To: MAWATARI Masataka Cc: apops@apops.net Subject: Re: [apops] 1/8
Hi Masataka-san,
MAWATARI Masataka said the following on 26/01/10 12:21 :
We want to discuss what to do on this apops list right now. Before starting to use 1/8 block..
- recommending correct prefix filter. (esp, Transit SPs)
Team Cymru usually send out a reminder to the various NOG lists worldwide - and those who use their bogon route-server service will be automatically "fixed". And Leo's announcement should have made some ISPs notice. Not enough though. :-(
- recognizing advertised prefixes in 1/8 block.
- detecting bogon routes and noticing source ASN.
APNIC do announce a few address blocks from their new allocation for a few months before it goes into service. This should give ISPs opportunity to check for reachability - it doesn't solve the problem of people who simply aren't paying any attention, but that's not unique to any particular address block. Given the situations where I've come across "static BGP filters installed by an integrator" which are left untouched, I can see problems with 1/8 as with every other block that is pressed into service.
- warning to AnoNet and WIANA.
- anything else? please!
Randy's two suggestions should be considered.
And yes, some really good content should be put up on a subblock from 1/8 - something no one can do with out.
Or someone requests a test allocation from 1/8 and tests some of the connectivity that it has, and publishes reachability to the average consumer's most popular destinations (whatever they are)?
No idea how to fix the 1.2.3.4/32 and 1.2.3.0/24 examples that still crop up in many many configuration documents though. :-(
philip
apops mailing list apops@apops.net http://mailman.apnic.net/mailman/listinfo/apops Website: www.apops.net
Greetings Team Cymru,
* On Fri, 29 Jan 2010 04:07:04 +0900 * myamanis@bb.softbank.co.jp wrote:
No idea how to fix the 1.2.3.4/32 and 1.2.3.0/24 examples that still crop up in many many configuration documents though. :-(
Let's request to decrease ranking in search engines for such harmful example.
This document is not using 1/8 for route filter, but this is very useful reference.
http://www.cymru.com/Documents/secure-ios-template.html http://www.cymru.com/gillsr/documents/junos-template.pdf
Please, revise sample IP addresses in this document to TEST-NET addresses from 5.5.5.1, 6.6.6.1, ...
It cannot fix already misconfigured router, but it prevent newly misconfigured router.
Regards, Masataka MAWATARI
Hello All,
Kindly take a look at this:
http://www.ris.ripe.net/mt/prefixdashboard.html?prefix=1.2.3.0%2F24
route-server>show ip route 1.0.0.0 Routing entry for 1.0.0.0/8, 4 known subnets Variably subnetted with 3 masks
B 1.2.3.0/24 [20/0] via 12.123.1.236, 00:57:44 B 1.1.1.0/24 [20/0] via 12.123.1.236, 00:57:44 B 1.50.0.0/22 [20/0] via 12.123.1.236, 00:57:44 B 1.255.0.0/16 [20/0] via 12.123.1.236, 00:57:44
Regards,
Aftab A. Siddiqui
----- Original Message ----- From: MAWATARI Masataka mawatari@jpix.ad.jp Date: Saturday, January 30, 2010 10:41 am Subject: Re: [apops] 1/8
Greetings Team Cymru,
- On Fri, 29 Jan 2010 04:07:04 +0900
- myamanis@bb.softbank.co.jp wrote:
No idea how to fix the 1.2.3.4/32 and 1.2.3.0/24 examples that
still> > crop up in many many configuration documents though. :-(
Let's request to decrease ranking in search engines for such
harmful example.
This document is not using 1/8 for route filter, but this is very useful reference.
http://www.cymru.com/Documents/secure-ios-template.html http://www.cymru.com/gillsr/documents/junos-template.pdf
Please, revise sample IP addresses in this document to TEST-NET addressesfrom 5.5.5.1, 6.6.6.1, ...
It cannot fix already misconfigured router, but it prevent newly
misconfigured router.
Regards, Masataka MAWATARI
apops mailing list apops@apops.net http://mailman.apnic.net/mailman/listinfo/apops Website: www.apops.net
Activity Summary
- 4991 days inactive
- 4991 days old
- apops@apops.net
- 7 participants
- 14 comments