|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: 69/8...this sucks
Look, there's no quick fix solution here. It's going to take real effort and real work. However, the _REASON_ all those pages reference sample bogon filters is because there isn't a global bogon filter that is dynamically updated available. If there was, and people were aware of it, they'd use it. (At least a significant percentage would). As such, is a BGP feed a panacea? No. Is it a step in the right direction? Yes. Will it solve the problem by itself? No. Will it improve the situation? Yes. Moving the root servers into that space may expidite solving the problem, but at a _VERY_ significant cost. Moving the GTLD servers might make a little more sense (at least then, you aren't requireing _EVERYONE_ to update their hint files), but I still don't think that's a good idea. Others have suggested that it needs to be available in LDAP. Some have suggested DNS. As far as I'm concerned, the same servers or some group of servers could easily be set up to publish the authoritative BOGON list via DNS, BGP, LDAP, HTTP(XML), FTP, and possibly other protocols. Getting bogged down in the protocol isn't helpful. Finding a way to make an authoritative global BOGON list (Note: BOGONS are the UNALLOCATED/UNASSIGNED/ RESERVED/INVALID _LARGE_ blocks, _NOT_ every little hole in the allocation space) that is dynamically updated _IS_ the most practical solution for the long haul. Renumbering multiple global resources every time an RIR starts issuing from a new /8 isn't feasible. Publishing the data over the net is. Owen --On Tuesday, March 11, 2003 10:06 AM -0800 Joe Boyce <[email protected]> wrote: Monday, March 10, 2003, 7:44:43 PM, you wrote: H> Well... I am pretty sure Tier1 backbones are up-to-date on the bogon H> filters :-) H> As we've already discussed, it's really the smaller networks with outdated H> bogons or with admins who don't know what they are doing.. Bingo. No silly bgp feed will fix this problem. The problem is all of the small customer networks that have been setup where the admin at the time installed a slick firewall using what was then current information and then walked away. I only see three ways to deal with this issue: 1. Contact each customer net that we find that is filtering on outdated information. I'm sure only the operators that have been assigned 69/8 space will start doing this (and have), since we are in fact responding to customer complaints. This process should be complete in say, oh, ten years or so. That should give us enough time to track them all down. Oh while we are at that, we might want to contact every operator of websites that are displaying "sample" firewalls using ipchains, iptables or ipfw that show 69/8 as a bogon network. We'll need to get them to change those webpages to show correct information. I mean, why have that information out there so some other clueless admin can simply start a fresh problem for us. I figure a couple of years to fix this too. 2. Find a way to break all of those customers networks that filter 69/8 so that the response time to fix it is much less than the time to contact each and every operator. The only way to do that is to move something like the root servers into this space. Yes it's crazy but it's the only way to break smaller networks. But once joe sixpack wonders why he can't get to Yahoo this morning and calls his consultant, the problem would be resolved a lot faster than it will take us to track them down and do option 1. 3. Have us 69/8 address assignees simply live with the problem and stop complaining in forums such as this. We're the ones dealing with the end user complaints about lost connectivity to sites once we've renumbering a link into this range. This goes back to option number 1, we'll simply bite the bullet and live with the problem and fix them as we find them. I'll admit, I run a small network and was quite happy to receive my first ARIN assignment some months ago. I wasn't so happy to find out that once I renumbered our internal office workstations into this range I had complaints from other employees about sites they could not reach (starting with *.ca.gov). I haven't even put one customer net into this new range yet and I've already reacted to a couple of dozen problems that less than 20 employees have found. I'm honestly scared to death about renumbering all of my customers now. H> I think we are just going around the circle/preaching to the choir on the H> same topic here.. Is this like what... 3rd time we are discussing H> this whole 69/8 issue :-D? Really, someone needs to get out this 69/8 H> issue on the press.. Just a thought.. heh I had an email sent to me from a writer from circleid.com (Joe Baptista) back in late December regarding this issue when the problem first popped up on Nanog. As far as I can remember he was going to write up an article on this situation. I have no idea what became of that. Regards, Joe Boyce --- InterStar, Inc. - Shasta.com Internet Phone: +1 (530) 224-6866 x105 Email: [email protected]
|