Re: The use of .0/.255 addresses.
- Original Message - From: "Wayne E. Bouchard" <[EMAIL PROTECTED]> To: "Fergie (Paul Ferguson)" <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Saturday, June 26, 2004 11:01 PM Subject: Re: The use of .0/.255 addresses. > > I can tell you that at least with my customers, the term "class C" is > only used to clarify what is meant by "slash 24" and always with the > phrase "is the equivilant to" > > And a bit surprisingly, I'm having to explain this less and less. Even > the sales team is learning to speak CIDR. > > So there is indeed hope. agreed. although, some customers are still dumb-founded when i tell them noone can give them a class C and offer a /24 instead =] paul
Re: The use of .0/.255 addresses.
I can tell you that at least with my customers, the term "class C" is only used to clarify what is meant by "slash 24" and always with the phrase "is the equivilant to" And a bit surprisingly, I'm having to explain this less and less. Even the sales team is learning to speak CIDR. So there is indeed hope. On Sun, Jun 27, 2004 at 02:44:22AM +, Fergie (Paul Ferguson) wrote: > > > > > > Amen, brother. > > - ferg > > -- Richard A Steenbergen <[EMAIL PROTECTED]> wrote: > > Do you part to help control the ignorant population: whenever you hear > someone say "class [ABC]" in reference to anything other than a historical > allocation, smack them. Hard. > > -- > "Fergie", a.k.a. Paul Ferguson > Engineering Architecture for the Internet > [EMAIL PROTECTED] or > [EMAIL PROTECTED] --- Wayne Bouchard [EMAIL PROTECTED] Network Dude http://www.typo.org/~web/
Re: The use of .0/.255 addresses.
Amen, brother. - ferg -- Richard A Steenbergen <[EMAIL PROTECTED]> wrote: Do you part to help control the ignorant population: whenever you hear someone say "class [ABC]" in reference to anything other than a historical allocation, smack them. Hard. -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet [EMAIL PROTECTED] or [EMAIL PROTECTED]
Re: The use of .0/.255 addresses.
On Sat, 26 Jun 2004, Jared Mauch wrote: > This includes Washington state host software vendors that > may need to distribute patches for networking stacks with defects > in their handling of outbound TCP connections (referenced in an alternate > email..) Then of course we could use their ignorance to advantage and setup box that you know will never be accessed from windows as .0 or .255. You want to have a firewall or router interface that will not be dropped by the zombie army? Sure, thing, just set to to .0 Actually I've done testing on this about 6 months ago and setup box with normal ip and box with .0 ip and check how much boxes were being scanned. What an amazing results! The box with normal ip gets usually at least once per minute. The box with .0 ip got scanned I think once over several days period. Apparently viruses and hackers don't know that .0 can actually be real ip either! Of course, now that I have mentioned this, it might be changing real soon (so I'll do another test in 6 months to check :) -- William Leibzon Elan Networks [EMAIL PROTECTED]
Re: The use of .0/.255 addresses.
At 10:03 PM -0400 6/26/04, Richard A Steenbergen wrote: This is what happens when your educational system continues to teach classful routing as anything other than a HISTORICAL FOOTNOTE *coughCiscocough*. This is also how you end up with 76k /24s in the global routing table. Do you part to help control the ignorant population: whenever you hear someone say "class [ABC]" in reference to anything other than a historical allocation, smack them. Hard. May I take this opportunity to remind people of my Atlanta 1998 (IIRC) NANOG tutorial on ISP addressing, "Good Providers have No Class"?
Re: The use of .0/.255 addresses.
On Sun, Jun 27, 2004 at 12:32:40AM +0100, Jonathan McDowell wrote: > > Have just spent some time trying to track down what seemed to be an > elusive problem, I thought I'd mention it here. > > I've had problems accessing www.level3.net, www.ebay.co.uk and > www.dabs.com (and a few others I don't recall). As I'm the first user of > a reasonably new netblock I thought it might be something to do with > filters on our upstreams or similar. Trying an IP from our older > netblock worked without problems, which seemed to back this up. > > However eventually I tracked it down to the use of the .0 address from > the new netblock; changing to use the .1 address meant I could access > the above sites without any difficulty. > > Various people I've asked about this have said they wouldn't use the .0 > or .255 addresses themselves, though couldn't present any concrete info > about why not; my experience above would seem to suggest a reason not to > use them. This is what happens when your educational system continues to teach classful routing as anything other than a HISTORICAL FOOTNOTE *coughCiscocough*. This is also how you end up with 76k /24s in the global routing table. Do you part to help control the ignorant population: whenever you hear someone say "class [ABC]" in reference to anything other than a historical allocation, smack them. Hard. -- Richard A Steenbergen <[EMAIL PROTECTED]> http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)
Re: The use of .0/.255 addresses.
On Sat, Jun 26, 2004 at 05:01:14PM -0700, Tony Li wrote: > >Various people I've asked about this have said they wouldn't use the .0 > >or .255 addresses themselves, though couldn't present any concrete info > >about why not; my experience above would seem to suggest a reason not > >to > >use them. > > The .255 address is very likely to be a broadcast address from a > netblock of /24 or longer. I would suspect that folks are wary of > accepting > packets from a broadcast address as that could easily be a smurf. > The .0 address was used as a broadcast address long ago and then > was deprecated, so the same rationale probably applies. Some networks use /31s on p2p links, including peering links to other providers.. :) This means those links can have a .0 or .255 IP. This topic has been rehashed a few times in the past (you can find it in the nanog archives..) people using a /23 and .0 and .255 in dial and dhcp (dsl) pools having problems due to b0rken networks/hosts. My suggestion: get them to clean their act up. This includes Washington state host software vendors that may need to distribute patches for networking stacks with defects in their handling of outbound TCP connections (referenced in an alternate email..) - jared -- Jared Mauch | pgp key available via finger from [EMAIL PROTECTED] clue++; | http://puck.nether.net/~jared/ My statements are only mine.
Re: The use of .0/.255 addresses.
On Sat, 26 Jun 2004, Tony Li wrote: > The .255 address is very likely to be a broadcast address from a > netblock of /24 or longer. I would suspect that folks are wary of > accepting packets from a broadcast address as that could easily be a > smurf. The .0 address was used as a broadcast address long ago and then > was deprecated, so the same rationale probably applies. I have a case where this is currently biting me. I've got a few small blocks of address space that I've chopped up into /32's for router loopback IPs. These are in /24's which have been subnetted with various sized customer subnets and then a /27 or so worth of router loopback /32's. One in particular is: interface Loopback0 ip address 209.208.6.255 255.255.255.255 I found some time ago that my home DSL connected network could not reach (telnet, ping, etc.) that router's loopback. Our monitoring system could, and several iBGP peers could, so I didn't notice the issue until one night when trying to do some work from home. What I've found is that one of our routers (7206 doing T1/DSL aggregation running 12.1T) has .255 issues. Yes, it does have ip subnet-zero & ip classless in the config. What's really odd is, from that 7206, I can traceroute to 209.208.6.255, but if I ping 209.208.6.255 from it, I get replies from another 209.208.6.x address on a connected T1 customer's CPE, as if the ping was sent out as a broadcast ping. #sh ip ro 209.208.6.255 Routing entry for 209.208.6.255/32 Known via "ospf 1", distance 110, metric 20, type extern 2, forward metric 4 Last update from 209.208.16.29 on FastEthernet0/0.1, 00:46:47 ago Routing Descriptor Blocks: * 209.208.16.29, from 209.208.6.255, 00:46:47 ago, via FastEthernet0/0.1 Route metric is 20, traffic share count is 1 #ping 209.208.6.255 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 209.208.6.255, timeout is 2 seconds: Reply to request 0 from XX (209.208.6.xyz), 68 ms Reply to request 1 from XX (209.208.6.xyz), 68 ms Reply to request 2 from XX (209.208.6.xyz), 68 ms Reply to request 3 from XX (209.208.6.xyz), 68 ms Reply to request 4 from XX (209.208.6.xyz), 68 ms I suppose I'll give up on using the .255 IP, but I've not been looking forward to changing that as it means redoing half a dozen BGP peerings. -- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_
Re: The use of .0/.255 addresses.
Various people I've asked about this have said they wouldn't use the .0 or .255 addresses themselves, though couldn't present any concrete info about why not; my experience above would seem to suggest a reason not to use them. The .255 address is very likely to be a broadcast address from a netblock of /24 or longer. I would suspect that folks are wary of accepting packets from a broadcast address as that could easily be a smurf. The .0 address was used as a broadcast address long ago and then was deprecated, so the same rationale probably applies. Tony
Re: The use of .0/.255 addresses.
Jonathan McDowell <[EMAIL PROTECTED]> wrote: [...] > Various people I've asked about this have said they wouldn't use the > .0 or .255 addresses themselves, though couldn't present any > concrete info about why not; my experience above would seem to > suggest a reason not to use them. It's funny that it is you of all people that would note this, as I came to the same sort of conclusion after configuring and installing tippett.debian.org for you. Tippett has the IP address of 195.92.249.0. In the old classful scheme, this would be in a class C network. Energis actually have 195.92/16 and "supernet" the class Cs into more useful chunks. I think it's a good idea to conserve address space by issuing the IP addresses thus released. Unfortunately, a certain software producer in Redmond apparently hasn't heard of CIDR. I found that I could ping Tippett from a Windows 2000 box just fine, but TCP connections would always fail with "connection refused". Getting a packet sniffer on the job showed that Windows wasn't even issuing a SYN - it was deciding for itself that a connection wasn't valid without even trying. So it seems inadvisable to use addresses that would be network and broadcast addresses in the old classful scheme. IOW, if you've got, say, an 80.x.x.x address, .0 and .255 are most likely fine. (But test it first, as I haven't.) -- PGP key ID E85DC776 - finger [EMAIL PROTECTED] for full key
RE: The use of .0/.255 addresses.
Title: RE: The use of .0/.255 addresses. I see traffic from this last IP address octet all the time from prefixes of length less than /24. Use of these host id's when the prefix length is greater than or equal to /24 is illegal. So if that's your case, I'd suggest not doing it. If that's not the case, look for over-zealous or incorrect filters in the path. I saw this situation once before. There was a border ingress filter with a typo in it... Chris > Various people I've asked about this have said they wouldn't > use the .0 > or .255 addresses themselves, though couldn't present any > concrete info > about why not; my experience above would seem to suggest a > reason not to > use them.
The use of .0/.255 addresses.
Have just spent some time trying to track down what seemed to be an elusive problem, I thought I'd mention it here. I've had problems accessing www.level3.net, www.ebay.co.uk and www.dabs.com (and a few others I don't recall). As I'm the first user of a reasonably new netblock I thought it might be something to do with filters on our upstreams or similar. Trying an IP from our older netblock worked without problems, which seemed to back this up. However eventually I tracked it down to the use of the .0 address from the new netblock; changing to use the .1 address meant I could access the above sites without any difficulty. Various people I've asked about this have said they wouldn't use the .0 or .255 addresses themselves, though couldn't present any concrete info about why not; my experience above would seem to suggest a reason not to use them. J. -- /-\ | This is not a daffodil! This is |@/ Debian GNU/Linux Developer | not a daffodil! \- |
Re: Attn MCI/UUNet - Massive abuse from your network
On Sat, 26 Jun 2004 10:50:12 -0700 (PDT) "Tom (UnitedLayer)" <[EMAIL PROTECTED]> wrote: > The big deal is that spam complaining/etc is not operational content, and > there are several other lists to handle that sort of thing. but then, individuals get 1 free shot at saying things that are in some cases not true about spamhaus, and Steve is prohibited from attempting to correct them. hardly seems fair, richard -- Richard Welty [EMAIL PROTECTED] Averill Park Networking 518-573-7592 Java, PHP, PostgreSQL, Unix, Linux, IP Network Engineering, Security
Re: Attn MCI/UUNet - Massive abuse from your network
On Sat, 26 Jun 2004, Jon R. Kibler wrote: > > I seldom post here because the couple of times I have followed-up to > > correct wrong statements in nanog regarding Spamhaus, such as the > > above, I have each time been told by nanog's admin that I will be > > removed from the nanog list if I respond to any question in nanog > > regarding Spamhaus again. But, here goes: > > Why would you be removed from the list for posting corrections about > Spamhaus? I looked back through the archives, and I did see one post which was fairly inflammatory, but I wasn't really that excited to read everything The big deal is that spam complaining/etc is not operational content, and there are several other lists to handle that sort of thing.
Re: Persistent DNS Zone Transfer Attempts from IP 128.232.0.31
On Sat, 26 Jun 2004, Jon R. Kibler wrote: > Greetings, > > Anyone know anything about IP 128.232.0.31? > > # host 128.232.0.31 > > 31.0.232.128.in-addr.arpa domain name pointer dns-probe.srg.cl.cam.ac.uk. > > > > We have been getting persistent zone transfer attempts that originate > from this IP address. We have had repeated zone transfer attempts http://www.justfuckinggoogleit.com/ A search for: 128.232.0.31 axfr brings up the one and only relevant hit. Too bad the IP isn't a "word" or this would be a googlewhack. If you really are seeing persistent requests from them (they say you shouldn't) then you ought to contact them, provide logs, and show them that their probe may be malfunctioning. Our probe is very polite - if it has been turned away by a server, it will not normally contact that server again. -- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_
Re: Persistent DNS Zone Transfer Attempts from IP 128.232.0.31
On Sat, 26 Jun 2004 11:19:16 -0400 "Jon R. Kibler" <[EMAIL PROTECTED]> wrote: | Anyone know anything about IP 128.232.0.31? | > # host 128.232.0.31 | > 31.0.232.128.in-addr.arpa domain name pointer dns-probe.srg.cl.cam.ac.uk. | | We have been getting persistent zone transfer attempts that originate | from this IP address. We have had repeated zone transfer attempts | against all of our DNS zones -- and against all 7 name servers that we | manage. This has been going on now for about a month or two -- more or | less. Recently, we have also seen attempts to do zone transfers for | non-authoritative domains. Logging shows that this IP apparently never | attempts to make legitimate DNS queries, only zone transfers. | | Anyone know anything about this IP? | | Anyone else have the appropriate logging enabled and also seeing this | IP make zone transfer attempts? | | Thoughts/comments/suggestions? If you go to http://dns-probe.srg.cl.cam.ac.uk you will see that this activity is part of a well-documented research project at Cambridge University in the UK, which has a widely-respected computer laboratory. I have, out of courtesy, forwarded your concerns to appropriate people there but would assure everybody that this activity is entirely benign! -- Richard Cox
Re: Attn MCI/UUNet - Massive abuse from your network
Steve Linford wrote: > I seldom post here because the couple of times I have followed-up to > correct wrong statements in nanog regarding Spamhaus, such as the > above, I have each time been told by nanog's admin that I will be > removed from the nanog list if I respond to any question in nanog > regarding Spamhaus again. But, here goes: Why would you be removed from the list for posting corrections about Spamhaus? Can the list admin or other responsible person please explain the reasoning? It only seems fair that if someone is misrepresented by a posting on this list, they should be free to correct such misinformation. Jon Kibler -- Jon R. Kibler Chief Technical Officer A.S.E.T., Inc. Charleston, SC USA (843) 849-8214 == Filtered by: TRUSTEM.COM's Email Filtering Service http://www.trustem.com/ No Spam. No Viruses. Just Good Clean Email.
Persistent DNS Zone Transfer Attempts from IP 128.232.0.31
Greetings, Anyone know anything about IP 128.232.0.31? > # host 128.232.0.31 > 31.0.232.128.in-addr.arpa domain name pointer dns-probe.srg.cl.cam.ac.uk. > We have been getting persistent zone transfer attempts that originate from this IP address. We have had repeated zone transfer attempts against all of our DNS zones -- and against all 7 name servers that we manage. This has been going on now for about a month or two -- more or less. Recently, we have also seen attempts to do zone transfers for non-authoritative domains. Logging shows that this IP apparently never attempts to make legitimate DNS queries, only zone transfers. Anyone know anything about this IP? Anyone else have the appropriate logging enabled and also seeing this IP make zone transfer attempts? Thoughts/comments/suggestions? Thanks! Jon -- Jon R. Kibler Chief Technical Officer A.S.E.T., Inc. Charleston, SC USA (843) 849-8214 == Filtered by: TRUSTEM.COM's Email Filtering Service http://www.trustem.com/ No Spam. No Viruses. Just Good Clean Email.
RE: Attn MCI/UUNet - Massive abuse from your network
At 9:43 am -0700 (GMT) 25/6/04, Ben Browning wrote: At 04:00 PM 6/24/2004, Hannigan, Martin wrote: [ Operations content: ] Do you know of any ISP's null routing AS701? ISPs? Not of the top of my head. I know several businesses who have, and a great many people who have blocked UUNet space from sending them email, either by using SPEWS, the SBL, or mci.blackholes.us . I seldom post here because the couple of times I have followed-up to correct wrong statements in nanog regarding Spamhaus, such as the above, I have each time been told by nanog's admin that I will be removed from the nanog list if I respond to any question in nanog regarding Spamhaus again. But, here goes: The statement by Ben Browning: "I know several businesses who have, and a great many people who have blocked UUNet space from sending them email ... by using ... the SBL" is false, the SBL has never blocked UUNet/MCI IP space that wasn't directly in the control of spammers. If Mr Browning does indeed know "several businesses and a great many people" whose UUNet/MCI IP space has been blocked by the SBL, then Mr Browning knows several spam outfits and a great many spammers. -- Steve Linford The Spamhaus Project http://www.spamhaus.org
Re: Teaching/developing troubleshooting skills
DG> Date: Fri, 25 Jun 2004 20:04:38 -0700 DG> From: Darrell Greenwood [ editted for brevity ] DG> The 5 day course can be boiled down really to one concept DG> that can be taught in 5 minutes... "binary search". Every half-decent programmer knows O(log(N)) is one's friend unless the scalar coefficient is large. A good way to demonstrate its efficiency is: * Have someone pick an integer between 1 and n, inclusive * Make guesses, going "higher" or "lower" according to the number-holder's feedback. The uninformed are surprised that one can always guess the number from 1 to 1000 in ten iterations or less. DG> The reason I am writing this note is as I went through a DG> career of troubleshooting I was surprised at the number of DG> colleagues who had no concept of "half-splitting" and used DG> "linear" or "random" techniques to determine test DG> points/tests with a corresponding dramatic reduction in DG> effectiveness. Good point. [ below text in response to nobody in particular ] It's also important that one avoid: * The faulty assumption there is but one problem * Incorrectly-formed causal relationships (NANOG-L has some examples of these) * Making too many changes in one iteration * Attempting to tackle a system with more unknowns than are absolutely necessary. A certain amount of troubleshooting can be taught, but IMHO it requires a self-driven person with intuitive reasoning. Finally: Apprenticeship. Have the novices follow along when experts work actual cases. A certain amount of troubleshooting is developing the intuition to make informed guesses -- e.g., "some idiot broke pmtud" -- and develop good leads without having to search methodically through the entire problem space. Eddy -- EverQuick Internet - http://www.everquick.net/ A division of Brotsman & Dreger, Inc. - http://www.brotsman.com/ Bandwidth, consulting, e-commerce, hosting, and network building Phone: +1 785 865 5885 Lawrence and [inter]national Phone: +1 316 794 8922 Wichita _ DO NOT send mail to the following addresses: [EMAIL PROTECTED] -*- [EMAIL PROTECTED] -*- [EMAIL PROTECTED] Sending mail to spambait addresses is a great way to get blocked.