Hi, I'm trying to get rid of the section called 'Advertised IANA Reserved Addresses' in the 'RIPE NCC Region Weekly Routing Report'. Since about some time I'm watching very interested how these networks are still 'annoucable'. I have implemented a ingress-BGP filter list that tell a syslogger to show all 'reserved-IP-space' announcements. Since the advent of the RIS, it is even better to have some kind of evidence which AS did announce when these networks. There is basically nothing wrong with making mistakes, but I'm starting to believe that some networks are being misused for spam or other annoyances. Please have a look to the last week's list: ---------------------------------- Network Origin AS Description 39.96.40.224/30 14408 iCAIR 65.56.64.0/21 2941 Community News Service 109.177.9.0/24 1785 Sprint ICM 219.91.160.0/22 7742 InternetNow, Inc. 219.91.164.0/23 7742 InternetNow, Inc. Funny enough that the RIS-database shows the following path for one of these networks: A 109.177.9.0/24 2000-06-13 13:24:25 212.20.151.253 13129 3549 6347 10664 A 109.177.9.0/24 2000-06-13 15:10:28 192.65.184.3 513 209 701 10664 A 109.177.9.0/24 2000-06-13 15:10:28 195.8.100.22 8259 5413 2828 701 10664 Always AS10664 as being the origin-AS. Wonder, why there is no such AS listed in ARIN's database as well?! There are small blocks, and I'm even missing some, which I'm seeing constantly in variations: Jun 15 19:23:57.558 MET_DST: %SEC-6-IPACCESSLOGNP: list 121 denied 0 1.1.1.0 -> 255.255.255.0, 2 packets Jun 15 19:28:57.740 MET_DST: %SEC-6-IPACCESSLOGNP: list 121 denied 0 1.1.1.0 -> 255.255.255.0, 2 packets If we want to try get some of this stuff out of the backbone and even decrease some (unnecessary) BGP-traffic, why not publish a 'ingress BGP-filterlist' that is endorsed by the RIPE-wg, RIPE or the community at large? What it basically does is: 1. Reject illegal prefixes (127/8, 0/0, RFC1918, etc.) 2. Log orginiators (if wanted) 3. Decrease SPAM-complaints 4. Prevent abuse It's low on CPU (it's no IP filter-list!), just a BGP-ingress filter. I have even added some prefix-length filter, but this is another topic, and depends on your upstream's policy. (I just can't stand /32s in the table!). Kurt -- noris network GmbH | Deutschherrnstr. 15-19 | 90429 Nuernberg Tel. (0911) 27738-0 | Fax. (0911) 27738-100 | kurt@noris.net %IDS-4-IP_IMPOSSIBLE_SIG: Sig:1102:Impossible IP Packet
Hi Kurt, At 22:05 16/06/00 +0200, Kurt Kayser wrote:
Hi,
I'm trying to get rid of the section called 'Advertised IANA Reserved Addresses' in the 'RIPE NCC Region Weekly Routing Report'. <snip> If we want to try get some of this stuff out of the backbone and even decrease some (unnecessary) BGP-traffic, why not publish a 'ingress BGP-filterlist' that is endorsed by the RIPE-wg, RIPE or the community at large?
How about http://www.ietf.org/internet-drafts/draft-manning-dsua-03.txt which is a very good start for a list which should be applied on all external BGP peerings (inbound and outbound). A draft I would certainly like to see as a BCP RFC.... Maybe this working group could consider something like this as a recommendation to "the community", like RIPE-210 flap dampening parameters?
What it basically does is:
1. Reject illegal prefixes (127/8, 0/0, RFC1918, etc.) 2. Log orginiators (if wanted) 3. Decrease SPAM-complaints 4. Prevent abuse
It's low on CPU (it's no IP filter-list!), just a BGP-ingress filter.
I could post a Cisco prefix-filter list based on Bill Manning's draft, if that would help. It would certainly help with 1 and 2. It may also be a service if ISPs with Cisco routers could apply "bgp neigh <x> remove-private-AS" on eBGP peerings so that origin private ASes (>64511) aren't leaked to the Internet.
I have even added some prefix-length filter, but this is another topic, and depends on your upstream's policy. (I just can't stand /32s in the table!).
Some ISPs go as far as filtering on the regional registries minimum allocation sizes, and the unused former A space. However, I think this needs a little more diligence in following changes in registry policy (APNIC recently moved from /19 to /20), any address space returned to the common pool, and any new /8s being allocated to registries for distribution purposes. Happily the announcements are much cleaner this week (certainly from the view used in producing the weekly routing reports). This morning I only saw the attached. philip -- List of Illegal AS's (Global) ----------------------------- Bad AS Designation Network Transit AS Description 64602 PRIVATE 63.236.57.0/24 209 Qwest 64601 PRIVATE 63.236.90.0/24 209 Qwest 64513 PRIVATE 200.12.17.0/24 6471 ENTEL CHILE S.A. 65014 PRIVATE 208.185.113.0/24 6461 AboveNet Communicati Advertised IANA Reserved Addresses ---------------------------------- Network Origin AS Description 39.96.40.224/30 14408 iCAIR 65.56.64.0/21 2941 Community News Service -------------------------------------------------------- Philip Smith ph: +61 7 3238 8200 Consulting Engineering, Office of the CTO, Cisco Systems --------------------------------------------------------
Hi Kurt,
At 22:05 16/06/00 +0200, Kurt Kayser wrote:
Hi,
I'm trying to get rid of the section called 'Advertised IANA Reserved Addresses' in the 'RIPE NCC Region Weekly Routing Report'. <snip> If we want to try get some of this stuff out of the backbone and even decrease some (unnecessary) BGP-traffic, why not publish a 'ingress BGP-filterlist' that is endorsed by the RIPE-wg, RIPE or the community at large?
How about http://www.ietf.org/internet-drafts/draft-manning-dsua-03.txt which is a very good start for a list which should be applied on all external BGP peerings (inbound and outbound). A draft I would certainly like to see as a BCP RFC.... Maybe this working group could consider something like this as a recommendation to "the community", like RIPE-210 flap dampening parameters?
I'd second Philip's suggestion .. though, the question I have is exactly what are the authorities or the 'the community' doing to apply due pressure on the originators to filter bogus announcements from their tables before passed on to external peers ? prevention is far better than cure. This is not to suggest that we discard preventative measures. Rush --
participants (3)
-
Kurt Kayser -
Philip Smith -
Rushdul Mannan