[AusNOG] New /21 on Bogan / Delinquent Lists
mark.smith at team.adam.com.au
Wed Sep 16 14:50:33 EST 2009
Shaun Dwyer wrote:
> On 16/09/2009, at 11:44 AM, Mark Smith wrote:
>> Shaun Dwyer wrote:
>>> What happened to the APNIC de-bogon project?
>>> I'd argue that APNIC's should be pro-active in de-bogon'ing */prior/
>>> * to allocating the IP space. The range should be at least 90%
>>> routable prior to being allocated.
>> That's the thing. In no way do APNIC have any responsibility for or
>> input into the decision to deploy these bogon filters, so why should
>> they have the obligation to get them fixed? It isn't practical to
>> thoroughly test before hand anyway - obviously nobody can test every
>> website and every mail server on the Internet for broken bogon
>> filters. Unfortunately reaction upon discovery, by notifying the
>> website/mail server operator, is the method that has the most chance
>> of success. That's what we've done when we've had to give our ADSL
>> customers those addresses.
> I agree, however, some basic routability testing would be nice before
> assigning something thats significantly broken 'out of the box' would
With what we've experienced, routing usually works for these ranges,
it's bogon filters on the end-nodes that are more often the problem.
> What do your subscribers say when they can't reach 90% of what they
> expect? How does this affect your bottom line?
We explain why it has happened, and that as we don't own or operate the
whole of the Internet, we're not in charge of everything attached to it
(remember, these are mum-and-dad type residential Internet customers, so
they may not even understand that no one particular organisation runs
the whole thing). Bouncing a customer to another address in the dynamic
pools usually gets them going, and we then start firing off emails. If
operator emails in whois etc. didn't work, on the few occasions I worked
on these issues directly, I started emailing CEOs, the company's VC's
etc. - anybody who cared or should have cared about having happy users
of their services :-)
> How long does it realistically take to get your ranges out of bogon
> filters after you are assigned the new range?
It'll take longer the more customers you have who're accessing more
websites. So as an ISP with ADSL customers in the 10s of 1000s, it
seemed to take about 6 to 8 months last time we had that issue. I took
the service impact notice down after 12 months.
>>> It shouldn't be left to the poor network operators who get assigned
>>> new IPs to contact NOCs and get it de-listed.
>> Agree, but we have no choice. We're the collateral damage from this
>> "friendly fire". Educating people not to cause the problem in the
>> first place is ultimately the best way to avoid it.
> 100% agree, if you implement a bogon filter, you should be responsible
> and keep it up to date. As Paul Baker has pointed out, team-cymru's
> BGP bongon server is a maintenance-free option. (Thanks Paul!)
> Staff cutbacks with increasing workloads make priorities change;
> unfortunately network maintenance for this sort of thing can become a
> very low priority as it can easily go un-noticed. Plenty of examples
> of this.
>> (Jumping on the recent licensed Internet user bandwagon, maybe there
>> should be a license to be able to build and operate the Internet
>> too. "What is usenet?" could be one of the questions :-) )
> Would be nice ;)
>>> Additionally, it wouldn't take much to do this testing. A single
>>> linux server with some scripts and quagga is all it'd take.
>>> In the case mentioned below about telstra's SMTP servers blocking
>>> the allocated range... that should be done with prefix lists at BGP
>>> peering points, not at firewall/application level.
>>> RSS feed for bogon list anyone?
>>> On 16/09/2009, at 10:02 AM, Nathan Brookfield wrote:
>>>> I agree, it is certainly no fault of APNIC but they were initially
>>>> less than helpful when I advised them that we were having severe
>>>> routing issues a week after the allocation was issued.
>>>> I have had a great response from users on the group and I
>>>> appreciate everyone who has contacted me directly, you've all been
>>>> a great help.
>>>> -----Original Message-----
>>>> From: Mark Smith [mailto:mark.smith at team.adam.com.au]
>>>> Sent: Wednesday, 16 September 2009 9:44 AM
>>>> To: Nathan Brookfield (SAU)
>>>> Cc: ausnog at ausnog.net <mailto:ausnog at ausnog.net>
>>>> Subject: Re: [AusNOG] New /21 on Bogan / Delinquent Lists
>>>> Nathan Brookfield wrote:
>>>>> Hi All,
>>>>> I know this is a bit of an unusual request, not something I see
>>>>> on AUSNOG regularly but we have had the very unfortunate luck of
>>>>> being assigned a /21 from APNIC within the last 2 months which we
>>>>> are now slowly starting to assign to customers.
>>>> A bit of "spam" to operator lists isn't unreasonable for this sort
>>>>> When the first customer was put onto this subnet they advised
>>>>> that traffic from our network to ExeTEL appeared to be null
>>>>> routed into a blackhole so after raising a ticket with ExeTEL I
>>>>> quickly found out that the allocation had been blacklisted some
>>>>> years back for malicious activity, over the last weeks we have
>>>>> been escalating issues to Singtel and a long laundry list of
>>>>> other peers who have the prefix blocked.
>>>>> Today we are dealing with Telstra who have the prefixed denied on
>>>>> all SMTP servers which has been fun but looks like it’s almost
>>>>> at an end.
>>>>> Can I please reach out to all Sys Admins on the group to check
>>>>> your networks and if you are blocking 22.214.171.124/21 if you
>>>>> could please allow traffic from this subnet back into your
>>>>> APNIC of course are no help, the fact it appears this subnet is
>>>>> less than 90% routable does not help as they just won’t re-issue
>>>>> the allocation plus we are too far past that stage now ☹
>>>> We've that trouble a few times over the last couple of years, but I
>>>> don't think APNIC are at any fault at all for it. They send out
>>>> notifications about new address ranges they're going to allocate
>>>> 12 months in advance to a number of operator forums (I think this
>>>> included). I think it's lazy sys/netadmins who are at fault - if
>>>> going to put these sorts of blackholing measures in place, they
>>>> need to
>>>> fulfill the ongoing obligation they've created to keep the up to
>>>> If they're not going to do that, then they shouldn't cause trouble
>>>> the rest of us by doing it in the first place.
>>>> AusNOG mailing list
>>>> AusNOG at lists.ausnog.net <mailto:AusNOG at lists.ausnog.net>
More information about the AusNOG