|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: revised ACL 112 ?
At 11:37 PM 6/16/99 +0200, Philippe Strauss wrote: >The exact access list is the one Sean described on this >list in 1995, available at http://www.ianai.net/filters/Sprint-ACL112 Something I had forgotten was pointed out to me by a friend. THAT LIST CONTAINS ERRORS - YOU ARE DENYING VALID ROUTES. And I do not mean just those with masks longer than 19 bits. Specifically, from http://www.cctec.com/maillists/nanog/historical/9509/msg00107.html, we see: ! allow M =< /18 in 206/8-239/8 (1100 111x *, 1110 xxxx *) ! (allow mask bits in first 18 bits) ! 1100111x == {206,207} ! 1110xxxx == {208-239} ! access-list 112 permit ip 206.0.0.0 1.255.255.255 0.0.0.0 255.255.192.0 access-list 112 permit ip 239.0.0.0 15.255.255.255 0.0.0.0 255.255.192.0 Which *should* be: ! allow M =< /18 in 206/8-239/8 (1100 111x *, 1110 xxxx *) ! (allow mask bits in first 18 bits) ! 1100111x == {206,207} ! 1101xxxx == {208,224} ! 1110xxxx == {224-239} ! access-list 112 permit ip 206.0.0.0 1.255.255.255 0.0.0.0 255.255.192.0 access-list 112 permit ip 208.0.0.0 15.255.255.255 0.0.0.0 255.255.192.0 access-list 112 permit ip 224.0.0.0 15.255.255.255 0.0.0.0 255.255.192.0 (Ignoring the fact that /19s were just allowed in 206/8 in the line before. :) This was a very early rev of 112, posted by Sean here on NANOG. (The earliest I could find, in fact.) First of all, you are blocking even /19s in all but 206/8, allowing /18s. But you are *completely* blocking 208-224, as there is no permit statement for them. I am sorry, I never intended that page to be USED by anyone, it was strictly there for historical/reference purposes. Philippe, if you are going to use something like a modern ACL112, please check out Sean's later posts in the NANOG archive. I shall update the page soon with a correct version of 112, and a corrected/updated version of my filter from the merit page. Sorry if anyone else has used this filter. >Philippe Strauss, ingenieur reseau/systemes, Urbanet SA TTFN, patrick P.S. I am no way implying this is Sean's fault. The web page is an early, untested version and I really never meant for anyone to actually USE it. In fact, there is no link to the list anywhere on any of my other pages or anything like that. Philippe must have attended one of my classes or something, where I specifically stated it was an early, broken version. -- I Am Not An Isp - www.ianai.net ISPF, The Forum for ISPs by ISPs, <http://www.ispf.com> "Think of it as evolution in action." - Niven & Pournelle (No, I still don't have enable. ;-)
|