North American Network Operators Group
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

RE: Please Check Filters - BOGON Filtering IP Space 72.14.128.0/19

  • From: Christopher L. Morrow
  • Date: Fri Jan 21 00:55:56 2005 

On Thu, 20 Jan 2005, James Laszko wrote:

>
> > Wash, rinse, repeat for the other 70,000 routers you manage for
> > customers... This is definitely NOT a half-rack in a colo fix. Just
> > contacting the customers is a feat.
>
>
> And I completely agree that it's a big pain to coordinate this.  In the
> same hand, SBC and all other 'big' providers use BGP to dynamically
> update their routing tables.  Their BOGON filtering should use the same

BGP holds destination info, the problem filters you speak of are MOST
PROBABLY not BGP related at all, they are likely interface filters of the
form:

access-list 100 deny ip 0.0.0.0 0.255.255.255 any

(assuming a cisco box of course, and this is a single line, hopefully they
permit the customer network to get something as a last line in the acl)

> sort of mechanism.  If they're not going to use something like the Cymru
> BOGON BGP feed they should build their own and should have configured
> their managed routers to query that from the beginning.  As more

This is impractical as the afore-mentioned 70,000 routers are likely not
bgp capable (not all atleast, why buy that feature when all it'll ever do
is static and conencted routes?).

> old-BOGON IP's come into play, more and more of the Internet is going to
> 'fall off' to these legacy route access list restricted routers.
>

Perhaps they will see the problems and move to a better solution, perhaps
their customers will ask for filter adjustments as these new pesky /8's
you speak of are 'released' for people to use... what's an ip address
again? :(

> As much as I would have liked to coin the term 'network monkey', I read
> it in this thread by someone much more creative than I.  :-)
>

Either way, it's not the monkeys in this case most likely. I'd bet at the
least there is the issue of getting in touch with the customer, and
initiatinng change at his/her/their request... why 'fix' something that
isn't broken? there are hundreds of thousands of 2511's out there with 2MB
of flash and 11.2 code still running on them. These will NEVER be upgraded
to anything 'new' because cost to upgrade includes upgrading the hardware
at 3k minimum per box... not to mention outages for customers who 'dont
see a problem today' and don't like outages.

-Chris