Re: Obsolete bogon filtering

[Jay R. Ashworth]

On Fri, Mar 11, 2005 at 10:36:28AM +, [EMAIL PROTECTED] wrote:
  2. People would have a list of sites that were known to be of less
  clue than most. This might help them make purchasing decisions in the
  future.
 
 Are you suggesting that NANOG should publish a set
 of operational best practices and then only offer
 the NANOG seal of approval to companies which adhere
 to those best practices?

The Good Netkeeping Seal of Approval, yes.

 If there is one thing that will stop telecoms regulators
 from attempting to regulate the Internet, it is this.
 The technical term is industry self regulation.

And it would have the side effect of assembling all of those best
practices in a central place where those occasaional operators of
really small networks (like me :-) who care what they are can
conveniently find them.

I'd recommend a wiki.  Running MediaWiki.

But then, I recommend that for all centralized knowledge capture
situations.  :-)

Cheers,
-- jra
-- 
Jay R. Ashworth[EMAIL PROTECTED]
Designer  Baylink RFC 2100
Ashworth  AssociatesThe Things I Think'87 e24
St Petersburg FL USA  http://baylink.pitas.com +1 727 647 1274

  If you can read this... thank a system adminstrator.  Or two.  --me

Re: Obsolete bogon filtering

[Janet Sullivan]

And it would have the side effect of assembling all of those best
practices in a central place where those occasaional operators of
really small networks (like me :-) who care what they are can
conveniently find them.
I'd recommend a wiki.  Running MediaWiki.
Well, its not running MediaWiki at the present time, but anyone is 
welcome to add this kind of useful content to the BGP4.net wiki. 
http://www.bgp4.net

Re: Obsolete bogon filtering

[Joe Provo]

 If you run any bogon filtering, can you please check your 
 border ACLs and BGP prefix filters to ensure that you're 
 no longer preventing access to 58.0.0.0/8 or 59.0.0.0/8 ?
[snip]

It is useful to point out that APNIC indicates the minalloc 
in 59/8 is /20 and 58/8 is /21.  I see several prefixes 'in 
the wild' which are longer, so where you think you might be 
seeing old bogon filters you are potentially seeing registry 
minalloc filters.

Cheers,

Joe

-- 
 RSUC / GweepNet / Spunk / FnB / Usenix / SAGE

Re: Obsolete bogon filtering

[Mark Newton]

On Sat, Mar 12, 2005 at 04:56:09PM -0500, Joe Provo wrote:

   If you run any bogon filtering, can you please check your 
   border ACLs and BGP prefix filters to ensure that you're 
   no longer preventing access to 58.0.0.0/8 or 59.0.0.0/8 ?
  [snip]
  
  It is useful to point out that APNIC indicates the minalloc 
  in 59/8 is /20 and 58/8 is /21.  I see several prefixes 'in 
  the wild' which are longer, so where you think you might be 
  seeing old bogon filters you are potentially seeing registry 
  minalloc filters.

No, we're announcing 59.167.0.0/17 -- Well shorter than the minalloc
restriction.

We're not dealing with peole who are trying to enforce registry
allocation guidelines here (note:  that's allocation guidelines,
not BGP announcement guidelines).  We're just dealing with people
who are potentially too clueless to breathe, who haven't updated
their filters for nearly a year.

Speaking of too clueless to breathe:  DShield.org

On Wednesday I emailed them to tell them that one of their customers
had informed me that they had 58/8 and 59/8 in the blacklists they
publish on their website.

Somewhere along the line whoever read that email had a small neural
collapse immediately afterwards, and imagined that what I had actually
said was, I am a responsible person in charge of 58/8 and 59/8, and
you may begin sending IDS logs and exploit reports direct to me for
action.

Since then I've received about 250 such email messages, and every 
single one of them pertains to networks which have absolutely nothing
to do with me.  I emailed them on Thursday and Friday to tell them
about their mistake, but they've (thus far) ignored those messages, 
and I have had no further (non-automated) contact from them.

Words fail me.  

Today it got worse:  Apparently they share their database with 
netvigator.com, who send out automated you're hosting an open
relay email messages;  So now I'm getting security alerts from two
completely different organizations all telling me that IP addresses
belonging to a bunch of Asian ISPs I've never heard of are attacking
IP addresses belonging to a bunch of American ISPs I've never heard
of.

As me whether or not I could care less.  Go on, ask me.  I dare you.

Needless to say my spam filter has been receiving some remedial 
retraining over the last couple of days, and now understands exactly
how to deal with anything from netvigator.com and dsheild.org.

It's things like this that really point out that most of the Internet
is under the custodianship of total amateurs.  It's really disappointing
to see the level of abject cluelessness I've found surrounding this
topic;  There are *SO MANY* people out there who have read in a book
somewhere that they should be blocking a few things, so they've just
blocked 'em without any further thought.  Even some Serious Blue-Chip
Multinationals appear to have professional Network Security divisions
who really should know better, but don't.  It's a real eye-opener.

  - mark

-- 
Mark Newton   Email:  [EMAIL PROTECTED] (W)
Network Engineer  Email:  [EMAIL PROTECTED]  (H)
Internode Systems Pty Ltd Desk:   +61-8-82282999
Network Man - Anagram of Mark Newton  Mobile: +61-416-202-223

Re: Obsolete bogon filtering

[Michael . Dillon]

 2. People would have a list of sites that were known to be of less
 clue than most. This might help them make purchasing decisions in the
 future.

Are you suggesting that NANOG should publish a set
of operational best practices and then only offer
the NANOG seal of approval to companies which adhere
to those best practices?

If there is one thing that will stop telecoms regulators
from attempting to regulate the Internet, it is this.
The technical term is industry self regulation.

--Michael Dillon

Re: Obsolete bogon filtering

[Jon Lewis]

On Fri, 11 Mar 2005, Simon Lyall wrote:

 1. People would have a list of phone numbers to call every time a change
 was made.

 2. People would have a list of sites that were known to be of less
 clue than most. This might help them make purchasing decisions in the
 future.

In my experience with 69/8, most of the problem sites were end users
rather than service providers...though in some cases, those end users were
things like parts of the US Military and NASA, etc.  The only provider I
remember running into that had a static bogon issue was fast.net, but they
don't even exist anymore AFAIK, as they were bought by USLEC.

So while the list would be useful as a contact list for those affected, I
doubt it's going to influence anyone's transit buying decisions.

--
 Jon Lewis   |  I route
 Senior Network Engineer |  therefore you are
 Atlantic Net|
_ http://www.lewis.org/~jlewis/pgp for PGP public key_

Re: Obsolete bogon filtering

[Rob Thomas]

Hi, NANOGers.

] If you run any bogon filtering, can you please check your border ACLs
] and BGP prefix filters to ensure that you're no longer preventing 
] access to 58.0.0.0/8 or 59.0.0.0/8 ?

Folks can keep up with the bogon filters through a wide variety of
means.  We have HTTP, DNS, RADb objects, RIPE NCC objects, and
text files.

   http://www.cymru.com/Bogons/

It can be even easier still!  Why not automate the process of
bogon filter updates, thus avoiding the shame of filtering good
folks such as Mark?  :)  Take a peek at our Bogon route-server
project at the following URL.

   http://www.cymru.com/BGP/bogon-rs.html

Thanks,
Rob, for Team Cymru.
-- 
Rob Thomas
http://www.cymru.com
Shaving with Occam's razor since 1999.

Re: Obsolete bogon filtering

[Simon Lyall]

On Thu, 10 Mar 2005, Rob Thomas wrote:
 Folks can keep up with the bogon filters through a wide variety of
 means.  We have HTTP, DNS, RADb objects, RIPE NCC objects, and
 text files.

I think this has been posted here more than a few dozen times. Perhaps a
list of sites/Nocs that do not automate their updates could be kept so:

1. People would have a list of phone numbers to call every time a change
was made.

2. People would have a list of sites that were known to be of less
clue than most. This might help them make purchasing decisions in the
future.


-- 
Simon J. Lyall.  |   Very  Busy   |   Mail: [EMAIL PROTECTED]
To stay awake all night adds a day to your life - Stilgar | eMT.

Re: Obsolete bogon filtering

[Mike Leber]

On Fri, 11 Mar 2005, Simon Lyall wrote:
 On Thu, 10 Mar 2005, Rob Thomas wrote:
  Folks can keep up with the bogon filters through a wide variety of
  means.  We have HTTP, DNS, RADb objects, RIPE NCC objects, and
  text files.
 
 I think this has been posted here more than a few dozen times. Perhaps a
 list of sites/Nocs that do not automate their updates could be kept so:
 
 1. People would have a list of phone numbers to call every time a change
 was made.
 
 2. People would have a list of sites that were known to be of less
 clue than most. This might help them make purchasing decisions in the
 future.

H, one wonders if the static security template has over time become
responsible for more realized loss of connectivity than the attacks it
theoretically protects against.

Perhaps it should be distributed with only a martian and RFC1918 filter,
and not the unallocated space, if everybody knows that people apply it in
a write once configuration manner.

Mike.

+- H U R R I C A N E - E L E C T R I C -+
| Mike Leber   Direct Internet Connections   Voice 510 580 4100 |
| Hurricane Electric Web Hosting  Colocation   Fax 510 580 4151 |
| [EMAIL PROTECTED]   http://www.he.net |
+---+

Re: Obsolete bogon filtering

[Christopher L. Morrow]

On Thu, 10 Mar 2005, Mike Leber wrote:
 On Fri, 11 Mar 2005, Simon Lyall wrote:
  On Thu, 10 Mar 2005, Rob Thomas wrote:
   Folks can keep up with the bogon filters through a wide variety of
   means.  We have HTTP, DNS, RADb objects, RIPE NCC objects, and
   text files.
 Perhaps it should be distributed with only a martian and RFC1918 filter,
 and not the unallocated space, if everybody knows that people apply it in
 a write once configuration manner.


or there's always that internet drivers license concept... except you'd
need a new class to take care of 'network operators', like 'limo' or 'bus'
citations on car licenses.

Seriously though, Perhaps Puck.nether.net or Mr. Lewis's 69box could be a
good site to host 'slow filter updaters' contact infos?

Re: Obsolete bogon filtering

[Mark Newton]

On Thu, Mar 10, 2005 at 11:51:40AM +1030, Mark Newton wrote:

  If you run any bogon filtering, can you please check your border ACLs
  and BGP prefix filters to ensure that you're no longer preventing 
  access to 58.0.0.0/8 or 59.0.0.0/8 ?

Further to this: 

If anyone from EV1 hosting is reading this, please get in touch ASAP?
We've been talking to a few of your front-line tech support people 
for a couple of days now, and while it's been fun, we'd kinda like to
stop doing that and start talking to someone who acknowledges that 
there's a problem here and knows how to fix it :-)

Thanks,

  - mark

-- 
Mark Newton   Email:  [EMAIL PROTECTED] (W)
Network Engineer  Email:  [EMAIL PROTECTED]  (H)
Internode Systems Pty Ltd Desk:   +61-8-82282999
Network Man - Anagram of Mark Newton  Mobile: +61-416-202-223