The 69/8 Networking Problem

jaredmauch writes "A number of networking providers who receive address space from ARIN have been having problems with their recent IP space allocations. This is a result of outdated filters that applied a few years ago during the boom time of the net, but have not been updated to reflect the current state of the network. Here is a paper that documents some of the problems this filtering is causing providers."

heh

[ergonal]

Wine me, dine me, 69/8 me!

Re:heh

[_ph1ux_]

no no no - we're talking about networks here buddy. So its:

Ping me, finger me, 69/8 me!

Re:heh

hehe, my .plan says simply "stop fingering me"

Re:heh

unzip me; mount me; fsck me...

Re:heh

Why is 6 afraid of 7?

Because 7 8 9!

Devalued IP Space?

[numbski]

I'm just looking over this, since I'm looking to purchase some IP's from my upstream provider. It seems to be that these IP's are somewhat devalued since areas of the net have blacklisted them.

Sort of like a tarnished credit record I guess. This IP's won't be of the greatest value for a few years until the rest of the net catches up.

The IP's would be for home broadband use too. I'll be personally avoiding that IP range. :(

Re:Devalued IP Space?

[Sandman1971]

You can't purchase IPs anymore. All IPs are now RENTED from the ISP in question. With routing protocols the way they are, there are very few portable classes available, and those are grandfathered. You can no longer buy a class and expect to keep it if you change providers. The IPs belong to the ISP/provider. All you're doing is renting them.

Re:Devalued IP Space?

if you're big enough you can still get space directly from arin. that space is portable accross isp's.

Re:Devalued IP Space?

[Black+Copter+Control]

if you're big enough you can still get space directly from arin. that space is portable accross isp's.

If you're big enough to get address space directly from ARIN, chances are that you are an ISP.

Re:Devalued IP Space?

[Binestar]

You can get your own IPs directly from ARIN. But I guess others know that too because you were modded to 5 when I started writing this post, and when I posted it you were back to 4. There really needs to be a "-1 incorrect information" moderation.

Re:Devalued IP Space?

[Sandman1971]

Sure you can. But you also have to remember that most backbone providers will not accept BGP advertisements smaller than /19 (32 Class Bs). To get that kind of range at Arin, you have to prove something like 75% utilisation now, and up to 100% utilisation within 3 months. So unless you're an ISP/backbone/server/web farm or a big company, you'll have a tough time proving you need 8 class Bs.

Re:Devalued IP Space?

[Sandman1971]

I forgot to add:

That is, unless you don't mind not being routed by more than half the backbones on the Internet, since most only accept /19 or bigger BGP advertisements.

And yes, I do know what I'm talking about, being an ex-WAN Admin and current syusadmin for a big national backbone provider.

Re:Devalued IP Space?

[Feyr]

here we do have a few of our classes directly assigned to us, and some others are rented from the upstream. long assigned to us tho :P

offtopic, how would i go about getting those ip rerouted (if we ever decided to move to another upstream), the "portable" ones i mean :P

Re:Devalued IP Space?

[Sandman1971]

So unless you're an ISP/backbone/server/web farm or a big company, you'll have a tough time proving you need 8 class Bs

Sorry, I meant 32 class Bs, not 8.

Re:Devalued IP Space?

[Thundar]

I actually thought you meant class C's. But hey maybe someone changed the classes from B being a /16 to it being a /24 and I missed the memo...

Re:Devalued IP Space?

[Cramer]

While that used to be true -- Sprint wouldn't accept anything longer than /19 because their routers didn't have the memory for it, it's not true anymore as modern routers can hold a great deal of memory. The generally accepted rule is not to do BGP for anything less than a /24. Anything less than /20 is not guaranteed to be globally routable but generally is.

As I point out to (stupid) customers: Anything smaller than a /20 may not be globally routable; Do not complain to me if there are places on the net to which you cannot connect.

And point-of-fact, the BGP routing spew from SAVVIS has things as small as /29's in it. *sigh*

Re:Devalued IP Space?

[Sandman1971]

Yeah, I meant class Cs, not class Bs Note to self: Don't post when suffering from lack of sleep.

Re:Devalued IP Space?

[Michael+Hunt]

Surely you mean 32 class Cs? (where 24-19=5, and 2^5=32.)

There are large parts of 203 (203/10 if memory serves,) all of 192 except for the RFC 1918 bits, and several other blocks which most backbone networks will accept up as up to a /24.

I have NFI about Arin, being Australian, but APnic (the same thing for these parts) has several provisions for getting large blocks of IPs without too much justification ('new service' applications etc.)

I believe that most registries also allocate the bottom /20 of a /19 and allow you to advertise it as a /19, provided you can justify up to a /20.

Re:Devalued IP Space?

[SN74S181]

I own a block of 256 ethernet addresses, though.

Some time ago someone posted on Usenet that they had been allocated blocks of them, and had spares to give away. I requested a block, and use them when I replace the NVRAM in Sparc Boxes.

Not the same, thing I know.

Re:Devalued IP Space?

[jaredmauch]

Verio is one of the remaining providers that performs filtering. These filters currently extend out to /22. You can view their peer filtering policy here

Re:Devalued IP Space?

[Florian+Weimer]

Sure you can. But you also have to remember that most backbone providers will not accept BGP advertisements smaller than /19 (32 Class Bs).

A /19 is a lot smaller than a former Class B subnet, and obviously, you can't filter everything longer than /19. For example, you simply can't do this in the former Class C swamp space.

Of course, in reality, the backbone providers are those who contribute most to the unnecessary growth of the routing table because they do not properly aggregate announcements.

Re:Devalued IP Space?

[adri]

You _can_ get lucky if you're _near_ the provider in question with the superblock you're in.

Example: Say you've got x.x.x.0/24 out of x.x.0.0/16.
Now, if people ignore you're announcement they're going to send traffic towards the provider announcing x.x.0.0/16. Somewhere along the way a network in the path might actually be paying attention to your routes, and your traffic gets shuffled towards you.

(But then, somewhere between THERE and you might be a network which doesn't pay attention and it heads back towards the /16 announcement.)

In short - remember, routing is hop-by-hop. Just because n-1 nodes in the path are listening to the announcement, things don't have to work. Similarly things might be working even if a node in the path isn't listening.

Now, some more facts - do some googling to determine meanings behind some terms/acronyms:

* the whole internet isn't populated with /20s and larger. In fact, there's still a lot of historical "swamp space" - see 203.0.0.0/10 (Australia). Its full of /24s. They're still globally visible because when the "nazi" filters were making the rounds at NANOG a while back.) If you're resourceful you might find the filters Randy Bush made up whilst working at Verio (i think!) which limited netmask lengths based on prefixes. So, fe, large chunks of space had a /19 limitation but the swamp space didn't. It was copied, verbatim, into many Cisco routers.

* Mass BGP filtering isn't to protect memory usage, its also to protect update times. Those CPUs can only _talk_ to neighbouring routers at speeds much below the linerates of cards (even today! :) and so taking 20 minutes to pull in a full BGP table would be 20 minutes where most routers performed in a degraded state. (yes, routers today are increasingly using seperate lookup, forwarding and data paths, but..)

* For a fun bit of historical information do some google searching for the AS7007 incident (or the mass deaggregation/redistribution incident.) Basically someone confed up a router, deaggregated large chunks of IP space into /24s and started locking up parts of the internet. Unfortunately due to bugs in software and non-instant propagation times these announcements just kept going round and round. Eventually netadmins had to coordinate with each other to shut down large parts of the internet "backbone" (there was a definable one, mostly, back then) to purge the announcements and then bring stuff back up again.

Phew. I drifted a bit there. I find it interesting to listen and learn about things like this so one doesn't make the mistake in other fields.

Re:Devalued IP Space?

[ingvar]

Based on practical experiments with announcing
one specific /24 out of a /17 via another
transit provider, it does seem as if a /24
will be visible over lareg portions of the
net.

Re:Devalued IP Space?

[ePhil_One]

Yeah, I meant class Cs, not class Bs Note to self: Don't post when suffering from lack of sleep.

Yeah, I was wondering why the backbone providers were carrying less than 2,000 route advertisements... :^)

Re:Devalued IP Space?

[kindbud]

You're wrong. Portable blocks are allocated all the time. ARIN always disclaims that any block they allocate is globally routeable, however. But they disclaim that for all blocks, including the old ones allocated in ancient times. So the next allocation of a /19 has the same guarantee of portability that 4/8 does: none at all.

Re:Devalued IP Space?

[monkeydo]

Example: Say you've got x.x.x.0/24 out of x.x.0.0/16.
Now, if people ignore you're announcement they're going to send traffic towards the provider announcing x.x.0.0/16. Somewhere along the way a network in the path might actually be paying attention to your routes, and your traffic gets shuffled towards you.

I would say in this case the provider's advertisement is screwed up. Whay are they advertising a /16 if they don't have all the space under it?

Re:Devalued IP Space?

[adri]

Well, its what would happen if you asked, really nicely, to multihome some upstream-allocated network block.

Ie, ISP A has a /16. THey give you, B a /23. B decides to multihome with it and ISP grants them permission to - it _can_ happen, it _does_ happen albeit infrequently (thank universe!).

Re:Devalued IP Space?

[Cramer]

Actually, it happens all the time. We have five (5) sub-deligations from UUNET (3 /21's, 2 /22's) that are "ours" (as long as we have a link with UUNet) to announce as we want. I've not actually tested this, but I would assume we could stop announcing them to UUNet. Digex (I know, not the brightest bulb on the tree) once screwed things up -- removed a static route and refused to put it back -- and we had to announce our piece of the their address space back to them.

We have customers bringing other people's address space to us and carrying our space to others. On the whole, it's rare.

Re:Devalued IP Space?

[monkeydo]

Yeah, but that isn't the scenario you originally described.

You _can_ get lucky if you're _near_ the provider in question with the superblock you're in. ...
(But then, somewhere between THERE and you might be a network which doesn't pay attention and it heads back towards the /16 announcement.)

I don't know what your setup looks like, but I don't have any transit networks between me and my providers.

Re:Devalued IP Space?

[Cramer]

It was for memory. I was there. The "rule" existed before that little snafu, however, Sprint hadn't deployed the filter globally. (your sub-/19 network would work within Sprint but not leave their network.) There are other reasons for the limits, but memory is why Sprint actually did it. There's a limit to the amount of memory one can put in a Cisco 7000 (yes, seven zero zero zero... the 68040 powered pack-mule of the internet past) When it runs out of memory, very bad things start happening.

For an example, check 64.243.14.0/24 from various route servers... I know there are many more, but that's the first one I could find. Both the provider and "backup" MUST announce the specific /24 as it is more specific than the /20 summary announcement. But, yes, anyone ignoring the /24 would always head towards the /20 and would be unable to connect should that link break.

Re:Devalued IP Space?

[Cramer]

It has to do with routing logic rules... the most specific route is prefered. /24 is more specific than /16. Traffic will not be balanced unless both providers announce the /24. (Yes, it's a mess, but only a small one.)

Re:Devalued IP Space?

[adri]

Err, I think my term abuse was a bit wonky.

If you have an AS path A -> B -> C -> D -> E

C has a link to this /16 provider - since you've grabbed IP space off an ISP (B) who has grabbed something larger from its upstream provider (C).

Now, E and D only see the /16 since D is filtering. So,
from E's perspective the network looks:
E -> D -> C -> F, F being this provider with the /16.

ok, now D sees the network as:

D -> C -> F

but C sees the network as
C -> B

and, since B has subdivided this network block up,
B -> A

Used to happen quite frequently out here in Australia.
Gotta love swamp space.

Re:Devalued IP Space?

[monkeydo]

In your illustration you may run into suboptimal routing near someone who is filtering your advert, but all your packets will likely get though. As long as C or F isn't filtering your adverts I don't see a problem.

OK, I'm A. I have PA space from B out of their PA space from C out of F's PI space, right? Let's say F has a /16 that they advertise as a /16. They give C a /17 out of that, and C in turn gives a /18 to B who gives me a /24.

If D is filtering on /19 they will potentially see:
a /16 with AS path E -> D -> C -> F
a /17 with AS path E -> D -> C
a /18 with AS path E -> D -> C -> B

If they are filtering on /16 they will only see the prefix as advertised by F, but it doesn't really matter, because either an AS along that path will know the proper route (in this case C) or it will get to F (maybe D is peered with F) who will then pass it to C.

The router on the far end of the world doesn't need to know the full AS path, it really just needs to know a next hop who knows a next hop, etc. We would like it if ever router always had enough information to pick the best next hop, but most of the time any next hop will do. That's why filtering and aggregation work at all.

All of this is great, but filtering isn't a huge problem under most circumstances if you are using PA space, you may not get optimal or deisred routing, but the provider who gave you the space will always know how to get to you.

The issue is if you are multihomed with PA space, and your connection to the provider who's space it is goes down you have AS like E who may still send the traffic to F instead of your secondary provider. Hopefully F is well peered, isn't dropping your advertisements, and you'll still get your packets, but maybe not. The moral of the story is don't multihome with PA space and don't multihome with tier 3's and you won't have these problems.

Re:Devalued IP Space?

[adri]

Hey, I agree with you!

But, this is the internet. Its not meant to be done right. If you'd like a laugh try and find out some information about people building IP "rings" in the late 90s and what BGP did. :-)

what makes this one so important?

[melloncollienet]

... that'll be like the 82/8 problem as well then. Some damn quest router drops my traffic to dilbert.com.

Re:what makes this one so important?

[monsieur+Penguin]

qwest probably uses 82/8 internally--- like bellsouth uses.. oh what was that network...

Re:what makes this one so important?

I use 1.0.0.0/24 internally. Do I get a cookie?

just in case...

mirror

Re:just in case...

[jaredmauch]

puck is handling the load quite nicely, but thanks for the offer. make sure you check out the atlantic.net split-screen traceroute tool. It's quite cool.

Lets go NANOG force!

We're all hopped up on sleeping pills and subnet calculations!

I have a 69/8 address

[DetrimentalFiend]

...and although most places have finally gotten their act together, this is still a bit of a problem for us. Our ISP has been working quite hard to get people to update their filters (the ISP was one of the first to get addresses in this space), but it's still a bit of a problem. Hopefully being on the front page of slashdot will help the problem some.

Re:I have a 69/8 address

[oaf357]

I feel your pain. I too have had similar problems (not with 69/8). It is a massive pain to explain to people that the security measures they've been using for so long are no good. It's a true pain.

Roll on IPv6

[The+Real+Chrisjc]

I would love everything to be IPv6 now, but it ain't gonna happen for atleast 10 years I think. Even new equipment hasn't got IPv6 :(
That would solve problems like this, and create lots of lovely new ones :/

If only the world was perfect eh?

Re:Roll on IPv6

>That would solve problems like this

no, it wouldn't. unallocated ip's are still going to be acl'd out as illegal sources until such time as they are allocated regardless of ipv6 vs ipv4.

Re:Roll on IPv6

[silas_moeckel]

Your not going to see IPV6 untill they figure out how to bill for multicast traffic as it's REQUIRED to work inside IPv6 not optional like under v4. This is a HUGE problem in implementing it as you cant bill for it rationaly. How much sould it cost are home users going to be billed per megabit leaving there ISP? If multicast works lots of the current issues with the net can go away think bit torrent is fast think about file send loops via multicast just join as many as you have bandwith to receive. All of the routers etc etc out there have supported IPv6 for a long time I cant say that people are realy familiar with it but it could be made to work but you NEED to be able to fit a billing plan around it before any of the big guys are going ot make it work world wide.

Re:Roll on IPv6

[rusty0101]

What new equipment does not support IPv6?

BSD, Linux, MacOS X, and Windows XP, all have support for IPv6 in their network stack. Current Cisco IOS supports IPv6.

There are some applications that go too far into the network stack to properly support IPv6, but those are applications.

The main stumbling block to IPv6 that I see right now is that very few network people in the US know how to use it. Outside of the US, both in Europe and Asia, IPv6 is being deployed fairly widely, as they do not have the IPv4 address space availabable and allocated to make use of it except in servers and routers.

As there are several gateways available, to allow IPv6 clients to access IPv4 servers, I suspect that the demand upone US providers to start supporting IPv6 devices is going to be long in comming.

With 10 devices in my house that support IP, (live at the moment, several others not currently powered up) I would exceed the available IP addresses my ISP account allows. As a result I am effectively forced to use NAT and private IP address space, even if my ISP would rather I did not. On top of that I don't want to keep a bunch of systems widely available to script kiddies. IPv6 would not solve that problem.

Then again, that's probably just all opinion on my part.

-Rusty

Re:Roll on IPv6

[Klaruz]

The main stumbling block to IPv6 that I see right now is that very few network people in the US know how to use it. Outside of the US, both in Europe and Asia, IPv6 is being deployed fairly widely, as they do not have the IPv4 address space availabable and allocated to make use of it except in servers and routers.

Yet another reason the US tech sector is going to fall behind in the comming years. Between complacency and greed, we're done for. I gotta move.

Re:Roll on IPv6

[Wesley+Felter]

Nothing is really required; after all, there's no "IETF police" that can punish ISPs that don't support multicast.

Re:Roll on IPv6

[shird]

No, but there are other network providers that may not want to let you connect to them unless you support the protocol fully.

eg. There is no IETF police stopping DoS attacks, it is technically possible. But do one through a network and all your upstream providers wont be too happy and will want to disconnect you. Its only because it can be done anonymously that the problem exists.

Re:Roll on IPv6

[Wesley+Felter]

That's even more reason why ISPs won't support multicast. If no ISP supports multicast, then there's no penalty for not supporting it.

Re:Roll on IPv6

[shird]

Yes, but the existing IPv6 networks do support it.

Re:Roll on IPv6

[Cato]

Even my phone supports IPv6 - it's a Symbian 7.0 smartphone, the SonyEricsson P800, and is widely available in Europe and Asia. See http://www.sonyericsson.com/ for details.

However, Cisco routers deployed in networks today typically run IOS versions that are pre-IPv6 and the IPv6 IOSes are somewhat less stable than the preferred 'S' train (the 12.2T train is the place for IPv6 at present) and upgrading a whole network is a fairly large undertaking even though it can be done step by step.

Upgrades will happen incrementally - once European/Asian companies start requiring IPv6, they'll request this of their US ISPs. However, probably the biggest driver is wireless (3G in UMTS R5 in a few years) followed by broadband and home networking, so this may be something that consumer goods manufacturers will get together to drive adoption.

Re:Roll on IPv6

[Omnifarious]

IPv6 could provide almost as much protection as a NAT.

Every single network gets at least a full /64 in IPv6. 64 bits is a lot of bits. Your devices IPs wouldn't be guessable. Script kiddies would have to run a very noticeable address scan, and even that would not be likely to find a randomly numbered device in a reasonable amount of time.

Re:Roll on IPv6

[silas_moeckel]

This is true but not supporting multicast means you cant call it IPv6. I say this because if you did sign people up for this new IPv6 option or whatever and dont support multicast to all your IPv6 peers then your could be sued as all your supporting is IPv6 numbering and that would be deceptive advertising.

Not surprising

Frankly this isn't a big surprise. If IANA gave up another previously reserved netblock like 0.0.0.0/8, 96.0.0.0/4, 112.0.0.0/5, 120.0.0.0/6, 124.0.0.0/7, 126.0.0.0/8 or the plethora of other reserved netblocks then they should expect peeps to still have them blacklisted in their personal ACLs. This is only common sense. This isn't exactly news. IANA should have been very forthcoming and gone public with the fact that a previously reserved netblock was no longer reserved PRIOR to selling parts of it. How else would they expect admins like myself to know about the change?

Re:Not surprising

[Wild+Wizard]

0.0.0.0/8 will always be reserved, do the math to see why

Re:Not surprising

[gclef]

ARIN did notify the public. ARIN, RIPE, APNIC, etc are often announcing allocations to groups like NANOG. I don't see how much louder they could be. If you're filtering based on their reserved lists, it's your responsibility to keep up with their allocation updates.

The problem is not the allocator's fault...at least, not directly. The problem is that lots of folks put in filters based on the bogon list at the time of their firewall/soho router install, and promptly forget about the fact that those filters should change (or, more likely, the consultant left).

There's nothing that ARIN, IANA or anyone else can do to enforce clue at the edge of a network. Hence the problem. If you're not prepared to keep up with groups like NANOG, don't filter unallocated space.

Re:Not surprising

[Pharmboy]

now, speaking as someone who doesn't really know shit about this....

isn't 0.0.0.0 used locally to mean localhost's *.*.*.*? I thought linux services set to 0.0.0.0 just assumed to listen to all IP's on that machine?

Just curious about this. about to jump up a big notch on the network, and actually need to learn more than I will.

Re:Not surprising

[silas_moeckel]

This is why it makes more sence for a dynamic and secure Bogons route feed. To bad I haven't seen one yet.

Re:Not surprising

[wayland]

...however, I'm not in North America (I'm in Australia). Is there some other group I should be keeping up with, or is NANOG still it?

Re:Not surprising

[jmt9581]

Curse slashdot for making me wonder "I Am Not A What?" as I skimmed over this comment . . .

While IANAL (linguist, not lawyer :) the namespace for acronyms is really becoming overcrowded. :)

Re:Not surprising

[kyletinsley]

ARIN did notify the public. ARIN, RIPE, APNIC, etc are often announcing allocations to groups like NANOG. I don't see how much louder they could be. If you're filtering based on their reserved lists, it's your responsibility to keep up with their allocation updates.

They used to have a link on the home page of their web site clearly showing new blocks that were previously unassigned that were now in use. It was quite useful, I checked it often. Then at some point, they decided that was too useful or something, and redesigned their site, removing that update page.

They may have since put that feature back on their site, but for a long time (months at least) that information was no longer available in that form. You had to manually check each address range in their WHOIS. (I checked over their extensively for it, googling it and even wget'ing their whole site and grep'ing for changes I knew were listed before.)

So they may have put such an (easy to check) update page back on their site, but the end result of their 'redesign' is that I stopped checking it a long time ago. And apparently, so have many other people.

We get complaints every once in a great while from cablemodem users who can't access one of the public servers, and then we'll find out what address they're coming from and see if it's currently filtered, and then remove those restrictions on all servers/firewalls. Has happened twice in the last 2 years I believe.

Re:Not surprising

[lucifuge31337]

0.0.0.0/1 means any address between 0.0.0.1 and 255.255.255.254. 0.0.0.0/8 is much different, meaning any address between 0.0.0.1 and 0.255.255.254. So, basically what I'm saying is that it can mean "all IP addresses (in IPv4 space)" or it can denote a smaller subset of addresses beginning at 0.0.0.1, depending on what subnet mask is applied to it.

The "problem" with using blocks like that are not technical....just like using addresses ending in .0 as valid IP space is also not a problem in the right network blocks.....it's broken sysadmin's understaning of IP that causes issues.

Oh...and there that nasty problem of certian addresses lying on bondaries that cause routers that don't properly understand classless routing to choke, but honestly...how many edge device could possibly be out there that are that dated to still have that problem? At least how many that are in a backbone situation where their being broken would actually effect more than 10 people?

Re:Not surprising

[Wild+Wizard]

handy link on 0.0.0.0

Re:Not surprising

[Pharmboy]

handy link on 0.0.0.0

Good link, thanks! Right to the point, lots of good links off it. If i had a mod point I would give it to you. Or a beer.

Re:Not surprising

[Michael+Hunt]

It ain't just broken routers.

I was recently assigned a /29 from my DSL ISP at home. Since the whole thing runs on NAT, this gives me 8 IPs not 6, since NAT ranges have no concept of 'broadcast' or 'network' addresses (which only have link-local significance, and there's no link.)

Unfortunately, the /29 fell at the top of the /24 in question (202.59.108.248/29.) This means that 202.59.108.255 is one of the IPs which are being routed to my network. Cool, right?

Wrong. Having configured static NAT between that IP address and a machine on the inside of the network (172.18.16.24, case in point,) the machine was reachable from Unix and Linux machines, but not from Windows boxes.

Further testing reveals that Windows still uses classful logic to determine whether an IP is 'valid' or not. On attempting to ping 202.59.108.255 from a slew of windows 2000 boxes, tcpdump showed nothing on the other end. An identical test from a unix box showed that it worked just fine.

Re:Not surprising

[raju1kabir]

If i had a mod point I would give it to you. Or a beer.

What would a beer want with a mod point?

Re:Not surprising

[lucifuge31337]

Further testing reveals that Windows still uses classful logic to determine whether an IP is 'valid' or not. On attempting to ping 202.59.108.255 from a slew of windows 2000 boxes, tcpdump showed nothing on the other end. An identical test from a unix box showed that it worked just fine.

This is /. Rephrase your observation in the form for a blatant MS-bash and tell everyone that's why they should be running Linux.
There will be no more warnings for this type of blantant oversight. I trust it will not happen again.

Re:Not surprising

[Alien+Being]

"0.0.0.0/1 means any address between 0.0.0.1 and 255.255.255.254"

Shouldn't that be "any address between 0.0.0.1 and 127.255.255.254?"

Re:Not surprising

[dotgain]

Well, since nobody else is going to mod you up Informative, or say it:

You're right.

Re:Not surprising

[adri]

Try aussie-isp (majordomo@aussie.net), but still I'd hang out on nanog to catch the network-related stuff. The US _is_ the internet still regardless of what the rest of us think.

Re:Not surprising

[hardcode]

IANAIANA

I am not an internet assigned numbers authority

hc

Re:Not surprising

[lucifuge31337]

"0.0.0.0/1 means any address between 0.0.0.1 and 255.255.255.254" Shouldn't that be "any address between 0.0.0.1 and 127.255.255.254?"

Of course, you're right. I should have said 0.0.0.0/0. It's not often I work with /0 networks, so I'm a bit rusty ;)

Re:Not surprising

Hmm, I don't think a broken router would effect very many people, but it could affect quite a few.

Could someone explain this

[Billly+Gates]

Why were they filtered out in the first place? It doesn't make sense and I believe the press was talking about running out of IP addresses on the internet back in the late 1990's. If anything more addresses are now available as .coms fade away.

Re:Could someone explain this

[jaredmauch]

We have a few things that happened here I believe. Denial of service attacks lead the reason people would filter out 'unallocated' space. A bunch of people just used rand() to generate fake source IPs to DoS from. Dropping from unallocated or unrouted space has become commonplace as it can prevent that extra little bit of packets from reaching your firewall/router/end host. It can make the difference for some people being able to survive an attack and not. The "dot com" bubble that burst created a lot of devices that used to be cared about deeply and now are ignored by the suits as the network is too stable and runs itself. This is both good and bad. As the network becomes more reliable more people start using VoIP and other technologies that reduce costs. Problem is this ends up causing jobs to be lost. (VoIP aside, if you take 250mil phone calls all going on at the same time, using 64k per call, you've got ~16Gb/s of traffic. Most of the international backbones can easily handle this traffic. What does this mean for the existing PSTN networks once the IP networks are more reliable.) People are just busy. I know that I sometimes lag in updating software on my systems unless it's necessary. Imagine the people who think "hey, i need to update these filters" but never get around to it.

Re:Could someone explain this

[Pharmboy]

Your raise a really good point. Also consider most major companies have cut IT staff to reduce costs, and most IT professionals have tolorated it because there are less jobs, meaning fewer people doing more work (and more burnout). I can easily see the lists not getting updated because "if it aint broke, dont fix it" mentality. Many ITs simply have plenty of other stuff to do, and if their company isn't hitting anything on 69/8 or vise versa, then it wont get fixed.

Good upkeep? Maybe not. Best some can do under the circumstances? Probably. I have enough hell just keeping up with the relatively small amount of shit I have to keep up with, so I can sympathise.

Re:Could someone explain this

[afidel]

They were filtered because prior to being allocated the only uses for them were nefarious in nature (basically spoofing). If everyone did proper egrees filtering this wouldn't be necessary.

Re:Could someone explain this

[lucifuge31337]

No, that's not insightful. -1, Stupid Moderators.

There are several reasons why blocks are reserved by ARIN. Some of them are reserved because they fall on classful routing boundaries, some were reserved based on wanting to keep contiguous space free for various purposes including but not limited to RIPE and APNIC allocations, allowing flexibinity for large network to renumber out of non-contiguius space, etc.

Don't think I'm sticking up for ARIN. Their policies are poor, mostly undocumentated in their actual application, and their customer service sucks.

Re:Could someone explain this

[Cramer]

Correction: the suits were always ignoring the network; the network could be literally in fire 3 days a week as long as no customers complained about it.

As others have stated, "down-sizing" and "restructuring" are the biggest players. The people who knew what they were doing and cared about the network are either not there or no longer in a position to maintain what they created. There may very well be capable, qualified people in charge, but it takes time to learn the "how and why" of an any network's configuration. It's hard to fix problems you don't know are there; and no one in their right mind is going to screw with it if they think everything is working. (or no one should)

Re:Could someone explain this

[Troed]

(I do this in bytes, not bits)

250 million phonecalls * 8kb = 2000000000kb/s.

2000000000kb/s = 1953125Mb/s = 1907.3Gb/s = 1.86Tb/s

?

Re:Could someone explain this

[blosphere]

The 69/8 was a common source of SPAM, DoSses and other abusive behaviour. We got the block back but after re-allocation the problem arose. Accuse the spammers and abusive people of this.

Re:Could someone explain this

[nuintari]

except the is space is considered classless now, class a,b,c, and the rest of those weird ones are now considered obsolete terms. because other netmasks exist other than /8, /16, and /24.

Re:Could someone explain this

[lucifuge31337]

except the is space is considered classless now, class a,b,c, and the rest of those weird ones are now considered obsolete terms. because other netmasks exist other than /8, /16, and /24.

Of course, but their policy moves at the speed of continental drift. I'm stating original reasons for reservations.....not claiming their continued validity.

Re:Could someone explain this

[jaredmauch]

hmm. guess i need to go back and check my math. either way, 250mil calls at once is a lot more than the pstn sees today. if you exclude dialup it goes down even further. i know that LD companies file their billed ld minutes someplace, does someone know if there is aggregated data somewhere?

This is a marketing issue

[southpolesammy]

While the 69/8 netblock has been long known to be reserved, and has been subsequently been "used" by script kiddies and the like for DoS attacks, then if ARIN has decided to open that netblock for sale, then it is up to them to notify and market the netblock as no longer being reserved. Pretty simple actually. This is a case where a non-technical solution is ideal to address what has been a technical problem.

If ARIN isn't doing that, then shame on them. If they are doing that, and we're just ignorant of it, them shame on us.

Re:This is a marketing issue

[JoeBuck]

And the answer is:

Shame on us.

Re:This is a marketing issue

[marvinglenn]

While the 69/8 netblock has been long known to be reserved, and has been subsequently been "used" by script kiddies and the like for DoS attacks...

Part of the blame belongs to the ISPs which let IP packets source from their network that should have been obvious (to the ISP) were forged. Specifically, letting packets out to the upstream with an address forged into the source IP that is obviously not on their network.

Because of the sloppiness, apathy, or ignorance of such ISPs, it's only natural that other ISPs would protect their incoming links to packets that were certainly forged (at the time).

Love those dusty old filters...

[PZona]

I sometimes wonder, given all the tech layoffs in the last two years, if half the 'net was left running on autopilot. Keeping the filters up to date with current practices would be a lot more likely if there was an adequate number of admins left to man the guns.

Re:Love those dusty old filters...

[robfoo]

That's precisely what I was thinking. The small web company I used to work for (I was one of several laid off to stop the company going under) has a webserver/nameserver/mailserver that's been running pretty much sysadmin-less for the last 6 months or so.
I'd obviously set it up too well.. :)

And no, I won't be vindictive and post the server URL in the hopes of a slashdotting :p

This is a good thing (tm)

Maybe providers will see that if their users are Internet dickheads (ie. DoSing, sending spam, etc) their IPs will be blacklisted and therefore less valuable.

Sort of like wanted good people to rent your house so they don't screw it up.

Unreserved some time ago

Is it just me or was this block removed from the reserved list by IANA and assigned to ARIN roughly midway through 2002? Man, the lag is getting worse around here all the time..........

exactly

[ArchieBunker]

Theres a ton of companies sitting on class A blocks and doing nothing with them. Anything from 4.0.0.0 and up is hardly used. Redistribute these as a temporary solution until IPv6 is mainstream.

Re:exactly

[marvinglenn]

Theres a ton of companies sitting on class A blocks and doing nothing with them. Anything from 4.0.0.0 and up is hardly used. Redistribute these as a temporary solution until IPv6 is mainstream.

Exactly. Here are a few of the class A's that I don't see valid reason for the holder of them to have a block of such size:

019/8 Ford Motor Company (a car company)

040/8 Eli Lily and Company (a drug company)

048/8 Prudential Securities Inc. (an insurance company)

051/8 Deparment of Social Security of UK (a government department in a relatively small country that has a ridiculously unproportional share)

056/8 U.S. Postal Service (the opposite of email)

There are a handful more which you can see here: http://www.iana.org/assignments/ipv4-address-space

The fact that these companies are cyber-squatting on more than they could resonably need torques me off to the point that, if I run out of unroutables (10/8, 192.168/16, etc) for my intranetworking, I'm going to lay claim to a block or two of those class A's for my intranet and firewall them [existing squatters] off to the outside.

Re:exactly

[caluml]

If you run out of unroutables, you're managing "your" namespace as badly as IANA are :)

Go for IPv6. You can get a /48, which is 2^24 subnets each of 2^64 addresses from most ISPs, tunnel brokers, etc.

Re:exactly

[caluml]

Doh. 2^16 subnets I meant. 65536 subnets, each of up to 18446744073709551616 hosts.

Does anyone else think it's a bit silly to make the "smallest" subnet /64 ?

Re:exactly

Why do think HP bought Compaq?
now they have 15/8 and 16/8 two consequecutive class A

Re:exactly

The Postal service uses the public IPs in their network. You might not see them on the outside, but they are being used on the inside. The USPS has a *LOT* more IP devices than people might think. It would be an unbelievable undertaking to switch to private addressing in there.

Re:exactly

[marvinglenn]

I doubt I'll run out of unroutables.

My point is one of principle, not necessary my actual circumstances.

Re:exactly

[kruczkowski]

When I worked for the Army, one of the Generals had a public class C in his house. Two decives, his computer and his router.

Re:exactly

[Raptor+CK]

Umm... do you have any idea how large PruSec *is?*

16.7 million IPs is overkill, fine, but 256 Class Bs, or 65536 Class Cs (yes, I'm overgeneralizing) might actually make sense for them. Granted, VPNs eliminate a lot of the need that they might have had in the past for public IPs going everywhere, budon't like thatt any corporation of Prudential's size will have enough employees, offices, and servers to utilize a fairly large portion of a class A. It's not like it's some simple flat address space which can have small chunks allocated off willy-nilly to any physical location. Routers don't like that. Netadmins used to not like it. Everything has to be done in powers of 2, and it gets... sloppy at best.

In a perfect world, yes, PruSec and companies like them should be using NAT, VPNs, and at best, a handful of Class B networks. However, we don't live in that perfect world, and any sufficiently old network simply can't be adapted to make more efficient use of the available address space without spending lots of time and money which can be better allocated to projects which would increase profits.

While I agree to some extent that all the above listed groups can make do with a smaller address space, I wouldn't go so far as to call them all squatters.

Re:exactly

[Doctor+O]

The fact that these companies are cyber-squatting on more than they could resonably need [...]

There were times when the IPv4 address space seemed bigger than what you'd ever need. You want to decide what's reasonable? Tough job for sure.

# 051/8 Deparment of Social Security of UK (a government department in a relatively small country that has a ridiculously unproportional share)

Yeah sure, cowboy. I mean, it's perfectly reasonable that IBM, HP and Xerox have /8 networks. Or the MIT. I mean, what relevance has the DSS of the UK compared to the all-important MIT?

You need a big reality check.

I've got a better solution...

[Dimensio]

Find the Internet's most notorious spam-supporting ISPs, like Qwest and Verio and anything in China or Brazil. Revoke all of their allocated IP space and give it to ISPs requesting new IP allocations, then redistribute the 69/8 IP addresses to Verio, Qwest, etc. That way no one will need to update their filters.

Re: I've got a better solution...

[shani]

Right, because nobody filters IP addresses from ISP's that originate spam.

Trolls are not creative

It is official; Rational thinkers confirm: "*BSD is dying" troll is retarded

One more crippling bombshell hit the already beleaguered Slashdot troll community when everybody confirmed that the troll community has dropped off the map yet again, now down to less than a fraction of 1 percent of their original creativity. Coming on the heels of a recent realization which plainly showed that trolls are retards, this news serves to reinforce what we've known all along. Trolls are not creative, educated, and is exemplified by repeated trolling attempts using the same old troll. You don't need to be a Psychologist to predict that the majority of trolls on the Slashdot website have no future. The crayon writing is on the wall: trolls face a bleak future. In fact there won't be any future at all for trolls unless they learn to be more creative. Things are looking very bad for trolls. As many of us are already aware, trolls continue to lose appeal.

The "*BSD is dying" trollers are the most endangered of them all, having lost 93% of its original amusement and creativity. The gradual and unpleasant repetition over a long time only serves to underscore the point more clearly. There can no longer be any doubt: trolls are retards.

Let's keep to the facts and look at the numbers.

All the good trolls have ditched Slashdot. Such figures as Signal_11 have gone away to leave the retard trolls behind. How many creative trolls are there? Let's see. The number of creative trolls is roughly nil. Therefore there are far more retards than creative trolls.

Due to the suckiness of trolls, abysmal creativity skills and so on, good trolls have left Slashdot and went to Kuro5hin.

Fact: Trolls are retards.

How much?!!

[_ph1ux_]

For 69.69.69.0/24????

Thats the C I want!

Re:How much?!!

[bigberk]

Silly ph1ux, you can't use CIDR and class together. The purpose of CIDR is to provide more network granularity than the octet-centric 'class' based approach - see this little guide on subnetting and CIDR Blocks.

69/8? Screw 'em!

[Anonymous+Struct]

When I started working for the company I'm working for, whose name shall remain unpublished, there was a bit of funny going on with the ip addressing schemes of our various offices. Instead of fooling around with that silly private address space nonsense, they just went allocating /8 blocks devil-may-care, one for each office, and I'll just say there were more than ten of them. Oddest bit was, nobody really seemed to notice all that much, except for the few odd folks who'd try to visit their alma mater's website and met with frustration every time. 128/8 and 129/8 were mysteriously always unavailable.

So 69/8 is blacked out? Ah, big deal. At least the dba can get to Oracle's website now. 192/8 was an office with about 60 people, if you can believe that. Strange folks out there setting up networks. Shield your young.

neat math thing

[SHEENmaster]

69 hex = 105 decimal, and 69 decimal = 105 octal.

8 being for octal, and hexadecimal because it's cool.

Re:neat math thing

[lostchicken]

Why is Christmas like Halloween?

25 DEC = 31 OCT

Re:neat math thing

[esper_child]

Wow, that is an old one. Probly scribed on the back of ENIAC, in Noah's own handwritting.

Re:I'm a hot stud baby

Hey, I'm down with the karma-sutra and position 69 It's just my upstream provider that doesn't want to let me touch those lucious 69/8's.
kinda like those conservative priests that tell you to do it missionary style -- as if missionaries were brothels or somthing, and have thier own style for sex.

Yeah, I had this a while ago with 65/8

[felicity]

Last year I had to rush over to a client to look at why they couldn't send email with their lawyers and, ironically, the firm I worked for (which was an on-going issue).

Turns out that a previous admin blocked all the "reserved" nets, including the 65/8 net which the lawyers and my firm were in.

Blocking these seems like a good idea, but it tends to get neglected and only causes problems in practice.

Re:69/8? Screw 'em!

[WolfWithoutAClause]

I just hope they've done this more than 20 times, and the network mafia go around and remove an appendage for each time they'd set up someone with a bogus IP address like that.

Still, I suppose if it is being NAT'd properly, it maybe ok, I guess [pained look].

Nobody's Perfect - Not Even Slashdot

[slack1661]

Apparently the 69.0.0.0/8 is enough of an issue that folks on that address space can't even read this article on slashdot.org.

Re:Nobody's Perfect - Not Even Slashdot

Can you clarify that. Atlantic.Net hasn't assigned any 69/8 addresses to customers yet and those addresses are certainly reachable from Atlantic.Net.

Re:Nobody's Perfect - Not Even Slashdot

Apparently the 69.0.0.0/8 is enough of an issue that folks on that address space can't even read this article on slashdot.org.

Try tracerouting to slashdot.org yourself.

Go on, try it.

OK then.

Re:Nobody's Perfect - Not Even Slashdot

[slack1661]

Click the link - read what it says - it's fairly self-explanatory.

The only question is whether the CGI script is functioning properly. Assuming that it is - slashdot.org CAN NOT be reached from the IP 69.28.64.14.

Re:Nobody's Perfect - Not Even Slashdot

Lots of networks block the high-port UDP packets normally used by traceroute. It's a common "security measure" to disallow everything other than the few ports/protocols you actually want to provide access to. In this case, nobody can traceroute to slashdot.org...at least not unless you're in the ACL of allowed hosts (if there is one).

Re:Nobody's Perfect - Not Even Slashdot

[slack1661]

Hmmm... I stand corrected it seems. Better get out the old dunce cap.

Re:Nobody's Perfect - Not Even Slashdot

[Bishop]

--
Thanks,

Shawn M. Thomas
Information Technology Specialist


Oh you are "special" alright. You can't even read the results from traceroute.

Hmm....Im on that net...

[Tmack]

While I do have the occasional site that wont respond, I havent noticed more than did the same with my other provider (not on the 69/8). Guess it deserves me lookin into a bit further..

Tm

And as always....

[MortisUmbra]

The problem isnt man reach exceeding his grasp, it's the fact that he doesn't really look at what he is grabbing.

Third world 'net

[inertia187]

ARIN, the organization responsible for the assignment of this address space, has stated that it is not required to ensure end-to-end visibility of said address space. This leaves the members with the tremendous tasks of locating, contacting, and educating every single network on the internet that is filtering this previously reserved space and requesting their operators update their filters.

While they're at it, it'd be nice to educate every single network on the internet about security and such. Or, maybe we need a new policy of "turning off" networks that don't conform to the rest of the internet's policies.

It's a huge undertaking. I don't envy them.

The $69.0.0.0 question is...

[goldfndr]

Why are you still referring to pieces of 8 ("/8")? Quarters are good enough, and they're so unique these days!

ISPs and weird filtering

[phorm]

Have you ever had a IP address that you just couldn't get to, though you were positive that it was up and online?

So... you go over to a friend's (or for those who can , SSH to an alternate machine) and the IP is accessible. You know the site is available, so you spend a lot of time in the firewall settings, even opening the firewall entirely... but still no luck.

I had this problem with my ISP, and finally traced it to that 66.xx.xx.xx IP addresses were unreachable (including redhat.com, very annoying), but only when I was on a certain bank of dynamically assigned IP's. Releasing my IP and leaving the PC off overnight used to solve the problem.

For awhile, it was occuring after I got a dedicated IP as well. When I called my ISP on this, they told me to reboot my modem, let it sit off for about 15, and then restart. Try explaining to low-tier tech support about how downtime is bad when you run a server.

Luckily, all is fixed now, since I've moved to another city (same ISP, but no problems), but I wonder if this problem is related to base ISP-side filtering, or if anyone else has experienced it. At one time, I had a box with a non 66.xx.xx.xx IP and a box with a 66.xx.xx.xx IP and they couldn't even talk to each other properly, though both could get online without a problem!

Re:ISPs and weird filtering

[SN74S181]

If you're running a server that matters for anything important, why are you only reaching lower-tier tech support when there are problems?

Not paying enough for your connectivity, eh?

Re:ISPs and weird filtering

[ces]

At my former employer we had a similar experience.

One of our customers was having trouble accessing some of our servers, in particular one /24 couldn't talk to most of the internet. Unfortunately this included the main corprate outbound mail servers.

This apparently caused quite the fire drill at our upstream provider, a couple of their upstream providers, and our customer's upstream.

Turned out the problem was caused by Verio leaking bogus BGP advertisements that included our block. Unfortunately it took over a week for Verio to acknolwedge the problem and get around to fixing it.

Re:ISPs and weird filtering

[phorm]

Nah, always start on the bottom and work my way up. Sometimes it just depends on whom the idiot on the lower-end I get is... if I get a good one, I get bumped. Last time it was an anal know-it-all who refused to bump me on the issue.

But, that considered: how much should one pay for a business-style DSL connection with a good package (up/down ratio, bandwidth, service)?

Re:ISPs and weird filtering

[fshalor]

I've actually had this problem from a campus that I work on. Also noticed certain popup ads are hacked down at the boarder. I think most of the problem has to do with routing through sprint.

Some of us are feeling that nasty QoS is being implimented along the lines. (ah, that's a linux site, who needs to go there!... and such). Of course, I also feel that M$ radomizeszs bandwidth to WUpdate pages.

Testing 69/8

[Leme]

Jon Lewis setup a nice utility to test if your network is affected by outdated filters.

http://69box.atlantic.net/

It includes a nifty traceroute utility that you can use to test with.

As a holder of space in the 69/8 range, I'll admit the problem is annoying, but thanks to people like Jon, and this posting on Slashdot, hopefully it will go away.

Re:Testing 69/8

If you're behind one of the broken networks with outdated filters, you won't be able to reach 69box.atlantic.net. For that reason, it's got an alternate non-69 IP with a hostname of not69box.atlantic.net

it's very important!

[unsinged+int]

It was only recently that the 24/7 networking problem was solved, and now they've moved on to researching the 69/8 problem. Any progress on that could have huge ramifications.

No....

[mindstrm]

His point was that in many applications, if you tell them to bind to "0.0.0.0", they map that to INADDR_ANY

Re:No....

[lucifuge31337]

His point was that in many applications, if you tell them to bind to "0.0.0.0", they map that to INADDR_ANY

You mean there are BROKEN APPLICATIONS is use? Say it ain't so!

Big deal. Whoever gets the 0.0.0.0 block can subnet so their brown apps aren't on the 0.0.0.0/whatever subnet.

Better yet, give it to me. That's would be an easy set of addresses to remember.

Boy I must be tired...

[Anonvmous+Coward]

"The 69/8 Networking Problem"

When I first read that, I thought 69/8 was a reference to my boss's sense of time. "To beat the competition, you must work 69 hours a day, 8 days a week!"

Man I hate crunch time.

Re:Boy I must be tired...

[Phroggy]

When I first read that, I thought 69/8 was a reference to my boss's sense of time.

My first thought was a musical meter: 69 8th-notes per measure.

This is not the only filtering problem.

[Maliuta]

There is a /8 that is maily distributed in china (sometimes reffered to a chi-net) that groups such as the US military and some ISP's filter because of excessive attacks and spaming. The problem being that some sections of that /8 are issued in Australia, New Zealand and Singapore, people allocated with numbers in this range sometimes have problems communicating with people that have US based or hosted services.

The issue is that if you are blocking something as big as a /8 then you want to know for sure the status of that entire address space, and check it regularly.

Re:69/8? Screw 'em!

[TheLink]

Not OK unless you do double NAT + DNS translation[1], or use proxies, OR nobody on such a network will ever want to communicate with the site which is legitimately using that address.

Otherwise the gateway machines would get confused on which 69.x.x.x the packet wants to get to.

[1] If the network is badly screwed up, good luck finding enough reserved/unused network ranges for the swap tho. There are just so many reserved spaces to use.

1 stone, 2 birds, kill

[Skapare]

I was originally going to propose this for 126/8, but this netblock seems more appropriate. ARIN should take 69/8 back and re-assign it specifically for the purpose of spammers and their hosting services. Make it illegal (like maybe a death penalty) for doing any spamming or hosting any spammers unless it's done from this block of address space.

US-centricism?

IANA has been handing out new netblocks from the previously-reserved ranges for a long time.
Why was this never a problem worthy of slashdot for any of the previous allocations?
Perhaps because they were not made to ARIN, so they only affected those pesky non-Americans?????

Offtopic?!!

It could hardly be more on-topic! Funny or troll, take your pick.

Assholes

Test addresses

[richdawe]

We used to have a similar problem at my old work, where 64.0.0.0/8 was used as a test network. Unfortunately this address range was then assigned, which meant that several websites, notably Hotmail, where unaccessible. It was a right PITA and no-one seemed bothered about fixing it. Fortunately it did get fixed, when we renumbered our entire network. That was relatively painless, but then there were only about 100 boxen to renumber.

IANA wastes half IPv4 space!

[AYeomans]

Would you buy a used IPv6 from these guys? They've already wasted 48% of IPv4 addresses in the bogon lists (:-)

Allocation

[karlm]

Back in 1997, my MIT fraternity house had a /16 network in a house zoned to house 22 people. That's about 3,000 IP addresses per person or 16 IP addresses per square foot (a very crowded house, we moved to a much bigger house later). This is probably a world record for IPv4 address density. (The MIT low-cost residence might have beat us.) It appears that MIT has gone to routing only two /24s to the house now and left the other 254 /24s unallocated.

Some countries only get a sinle /24 network. The IPv4 space is full of huge differences in per capita allocations. There are tons of cases where huge corporations and universities have hundreds or thousands of times more unused addresses than used addresses. IPv4 routing tables would get unmanageable if you tried finer grained allocation, but there is little objective reason why MIT needs 16 million public IP addresses. When you have several hundred IP addresses per person, it's no wonder the MIT Media Lab comes up with ideas like IP-enabled tennis shoes.

Re:Allocation

[nakaduct]

IPv4 routing tables would get unmanageable if you tried finer grained allocation

A routing table with entries for every /24 requires a stunning:

117 440 512! bytes!

... or, roughly $12 worth of RAM, at today's prices.

I'm not sure what you mean by "unmanageable": it's been a long time since backbone routing tables were managed by hand. There may be good reasons for small routing tables, but inherent cost and/or complexity of management are not.

Re:Allocation

[obidex]

care to explain that one?

each entry requires (at the very minimum) prefix, netmask and nexthop. this is before you remember it's bgp, and has to hold a whole host of other shit (communities, as-path, metric, localpref, weight, origin etc).

i make that:

2^24
= 16777216 /24s
16777216*96
= 1610612736 bits for prefix,mask,nexthop
1610612736/8
= 201326592 bytes for the very basics

You can safely double that (at the very least) to factor extra bgp overhead gubbins. Take a third off for route compression, and double that figure if you wanna run soft reconfiguration inbound. That comes out on the sunny side of half a gig for just your bgp table.

also, remember that your $12 stick of RAM will cost $1500 if you're buying ram direct from a router vendor (many refuse to support devices unless you use their propriatory labelled RAM). add on 50 meg for the OS itself and a random amount for your IGP and you're talking about needing a router with a gig of ram.

then think how long it'll take for you to learn this 200 meg routing table. bgp convergence is bad at the best of times, but adding 200 mbyte overhead when you start a bgp session is just ridiculous.

there's a reason why route aggregation is a good thing. and it's precisely because of the 'inherent cost and/or complexity of management'

HTH & HAND

Re:69/8? Screw 'em!

[nuintari]

wow, 129/8 is where I go to school, that's pretty funny.

Oh, and whoever set up your network is a moron.

Re:69/8? Screw 'em!

[gatekeep]

Boy, can I relate to this. My company recently aquired an office which is set up using 202.202.202.0/24. Then They're NATing it for internet access. Apparently someone know enough to use NAT, but didn't know to use RFC1918 addresses. Thankfully, we're going to be re-numbering this office soon. As luck would have it, they're the biggest whiners about the shortest amount of downtime so it's been a pain trying to get them to let us change it. I mean, is 10 minutes of downtime at 3am on a Sunday all that bad?

At least they didn't dole out /8s.. course, most of the people around here don't even understand that anything but /24s exist.

Aye, a moron they are...

[Andy+Dodd]

There are a LOT of schools in the 128/8 block from what I remember. Cornell is in there with 128.253/16 and one or two others, and IIRC both CMU and Univ. of Buffalo are 128s.

Re:Aye, a moron they are...

[nuintari]

cool, but I said 129/8, specifically, I go to whoever it is that lives in 129.1/17. I think they have a full /17, not sure.