North American Network Operators Group
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Historical
Re: what the heck do i do now?
- From: John Payne
- Date: Tue Feb 06 01:37:53 2007
- Authentication-results: haybaler.sackheads.org [email protected]; domainkeys=pass (testing)
- Authentication-results: haybaler.sackheads.org [email protected]; dkim=pass (1024-bit key)
- Dkim-signature: a=rsa-sha1; c=simple/simple; d=sackheads.org; s=haybaler; t=1170743504; bh=tK19xdtOOQOJ5q2Zz03tZPlYF+s=; h=In-Reply-To: References:Mime-Version:Content-Type:Message-Id:Cc: Content-Transfer-Encoding:From:Subject:Date:To:X-Mailer; b=m64mXmjL mrpuFyhWF0WXitOltzo6Abkp3YW3T68NCXB9rysE8gc5aZg5jtvQPrKERf2bWJ9M3pG UnGtrUBAaUPzWyFyJSh8aPc6L7Ln7aHcTikY10TQ6SCmN9w5lVBTFwtlR3EeRZS7wUH vNgLIRb6vTvp/JspwAXWqTTis8MgY=
- Domainkey-signature: a=rsa-sha1; s=haybaler; d=sackheads.org; c=nofws; q=dns; h=dkim-signature:in-reply-to:references:mime-version: content-type:message-id:cc:content-transfer-encoding:from:subject:date:to:x-mailer; b=ZVk/mlynxv28AywBsNhHaxVQv4A61W5wm1PIu8tE5fLiF9EXIcrTP/eE4J2d68ybM Pd1KJty8gzVPVllpAuGOey1xK3I2ulAnQXu7N8lGFzJXna+cBTJmh0OpNiLilnb/jqD KabTPwKCFVaeFfYxP4A9rWBVh/LNam3ULygS7vE=
On Feb 6, 2007, at 12:40 AM, Jeremy Chadwick wrote:
On Mon, Feb 05, 2007 at 10:13:08PM -0500, Jon Lewis wrote:
On Mon, 5 Feb 2007, Jeremy Chadwick wrote:
1) DNS servers which are not configured to blackhole IANA-reserved
network blocks (read: the majority) will blindly try to reach
192.0.0.0/17 and friends.
192.0.2.0/24 - This block is assigned as "TEST-NET" for use in
documentation and example code. It is often used in
conjunction with
domain names example.com or example.net in vendor and protocol
documentation. Addresses within this block should not appear
on the
public Internet.
I was going purely off of what ARIN reports:
Internet Assigned Numbers Authority RESERVED-192 (NET-192-0-0-0-1)
192.0.0.0 - 192.0.127.255
Internet Assigned Numbers Authority IANA (NET-192-0-2-0-1)
192.0.2.0 - 192.0.2.255
If there is something magical about 192.0.2.0/24, then I'd love to
know what it is (please do educate me!). But from my perspective, it
just looks like another IANA-reserved netblock.
RFC 3330
192.0.2.0/24 - This block is assigned as "TEST-NET" for use in
documentation and example code. It is often used in conjunction
with
domain names example.com or example.net in vendor and protocol
documentation. Addresses within this block should not appear on the
public Internet.
BTW - there's nothing that says anything about filtering
192.0.0.0/17. It might be reserved for IANA, but there's nothing
saying it can't be used. Looks to me like ICANN is using some of
their sub-allocation in that space.
That /24 doesn't show up in BGP unless something is broken or you
have a
cymru bogon feed. Either way, worst case is you're default
routing to an
ISP/NSP and the packets get a few hops before someone drops them as
unroutable.
Right, so the mentality here is that "someone" will eventually
filter the packets or they'll be dropped due to a null route
BGP rule. This I understand, but IMHO it's better to filter such
packets before they ever reach someone else's networking gear.
(Sorry if I'm not phrasing this as eloquently as possible.) In my
case, I simply purchase co-lo space from providers and rely on their
routing configurations, hoping they're doing things properly. But
as one can see from the ipfw stats I pasted, some aren't. Understand
where I'm coming from?
Packets destined for 192.0.2.0/24 will follow the money trail. As
soon as someone stops paying, the packets will die. (Actually
sometimes they'll drop off sooner than the money trail, but that's
irrelevant). What I'm saying is that by sending packets to 192.0.2.0
the only people who'll be "harmed" by that action are people you're
paying.
2) Some people (like myself) have ipfw/pf rules which block and
log outbound packets to reserved blocks. We log these because
usually it's the sign of broken software or possibly some weird
IP routing (read: OS IP stack) problem. In the case of ipfw (I
haven't tested pf), the block gets reported to underlying layers
as EACCES, which can be incredibly confusing for admins.
If it means they get noticed, mission accomplished. That's
exactly what
Paul wants.
In that case, it's a win-win situation.
Which is probably why it was suggested....
My vote is to simply remove the NS and A records for maps.vix.com
and let people utilise search engines and mailing list archives to
figure out where to go (mail-abuse).
The vix.com NS's will get slammed with all the DNSBL queries then.
The suggestions I made at least get some of the queriers (assuming
they
have properly functioning caches) off your back for a while.
Hmm, yes, you're absolutely correct. But I'm curious why you picked
192.0.2.0/24 rather than some other reserved block? (I've also sent
a copy of this discussion to an associate of mine at Nominum, who's
now wondering the same thing I am...)
Pointing to RFC 1918 space is likely to cause "harm". 192.0.2.0/24
is guaranteed not to (unless people don't follow RFC allocations....)
I've found this thread immensely educational so far!
--
| Jeremy Chadwick jdc at
parodius.com |
| Parodius Networking http://
www.parodius.com/ |
| UNIX Systems Administrator Mountain View, CA,
USA |
| Making life hard for others since 1977. PGP:
4BD6C0CB |
|