Slashdot Mirror
The 69/8 Networking Problem
jaredmauch writes "A number of networking providers who receive address space from ARIN have been having problems with their recent IP space allocations. This is a result of outdated filters that applied a few years ago during the boom time of the net, but have not been updated to reflect the current state of the network. Here is a paper that documents some of the problems this filtering is causing providers."
Wine me, dine me, 69/8 me!
I'm just looking over this, since I'm looking to purchase some IP's from my upstream provider. It seems to be that these IP's are somewhat devalued since areas of the net have blacklisted them.
:(
Sort of like a tarnished credit record I guess. This IP's won't be of the greatest value for a few years until the rest of the net catches up.
The IP's would be for home broadband use too. I'll be personally avoiding that IP range.
Karma: Chameleon (mostly due to the fact that you come and go).
mirror
...and although most places have finally gotten their act together, this is still a bit of a problem for us. Our ISP has been working quite hard to get people to update their filters (the ISP was one of the first to get addresses in this space), but it's still a bit of a problem. Hopefully being on the front page of slashdot will help the problem some.
I would love everything to be IPv6 now, but it ain't gonna happen for atleast 10 years I think. Even new equipment hasn't got IPv6 :( :/
That would solve problems like this, and create lots of lovely new ones
If only the world was perfect eh?
Frankly this isn't a big surprise. If IANA gave up another previously reserved netblock like 0.0.0.0/8, 96.0.0.0/4, 112.0.0.0/5, 120.0.0.0/6, 124.0.0.0/7, 126.0.0.0/8 or the plethora of other reserved netblocks then they should expect peeps to still have them blacklisted in their personal ACLs. This is only common sense. This isn't exactly news. IANA should have been very forthcoming and gone public with the fact that a previously reserved netblock was no longer reserved PRIOR to selling parts of it. How else would they expect admins like myself to know about the change?
While the 69/8 netblock has been long known to be reserved, and has been subsequently been "used" by script kiddies and the like for DoS attacks, then if ARIN has decided to open that netblock for sale, then it is up to them to notify and market the netblock as no longer being reserved. Pretty simple actually. This is a case where a non-technical solution is ideal to address what has been a technical problem.
If ARIN isn't doing that, then shame on them. If they are doing that, and we're just ignorant of it, them shame on us.
Rule #1 -- Politics always trumps technology.
I sometimes wonder, given all the tech layoffs in the last two years, if half the 'net was left running on autopilot. Keeping the filters up to date with current practices would be a lot more likely if there was an adequate number of admins left to man the guns.
We have a few things that happened here I believe. Denial of service attacks lead the reason people would filter out 'unallocated' space. A bunch of people just used rand() to generate fake source IPs to DoS from. Dropping from unallocated or unrouted space has become commonplace as it can prevent that extra little bit of packets from reaching your firewall/router/end host. It can make the difference for some people being able to survive an attack and not. The "dot com" bubble that burst created a lot of devices that used to be cared about deeply and now are ignored by the suits as the network is too stable and runs itself. This is both good and bad. As the network becomes more reliable more people start using VoIP and other technologies that reduce costs. Problem is this ends up causing jobs to be lost. (VoIP aside, if you take 250mil phone calls all going on at the same time, using 64k per call, you've got ~16Gb/s of traffic. Most of the international backbones can easily handle this traffic. What does this mean for the existing PSTN networks once the IP networks are more reliable.) People are just busy. I know that I sometimes lag in updating software on my systems unless it's necessary. Imagine the people who think "hey, i need to update these filters" but never get around to it.
Is it just me or was this block removed from the reserved list by IANA and assigned to ARIN roughly midway through 2002? Man, the lag is getting worse around here all the time..........
Theres a ton of companies sitting on class A blocks and doing nothing with them. Anything from 4.0.0.0 and up is hardly used. Redistribute these as a temporary solution until IPv6 is mainstream.
Only the State obtains its revenue by coercion. - Murray Rothbard
Find the Internet's most notorious spam-supporting ISPs, like Qwest and Verio and anything in China or Brazil. Revoke all of their allocated IP space and give it to ISPs requesting new IP allocations, then redistribute the 69/8 IP addresses to Verio, Qwest, etc. That way no one will need to update their filters.
STOP MISUSING APOSTROPHES, YOU MORONS!!!
Your raise a really good point. Also consider most major companies have cut IT staff to reduce costs, and most IT professionals have tolorated it because there are less jobs, meaning fewer people doing more work (and more burnout). I can easily see the lists not getting updated because "if it aint broke, dont fix it" mentality. Many ITs simply have plenty of other stuff to do, and if their company isn't hitting anything on 69/8 or vise versa, then it wont get fixed.
Good upkeep? Maybe not. Best some can do under the circumstances? Probably. I have enough hell just keeping up with the relatively small amount of shit I have to keep up with, so I can sympathise.
Tequila: It's not just for breakfast anymore!
When I started working for the company I'm working for, whose name shall remain unpublished, there was a bit of funny going on with the ip addressing schemes of our various offices. Instead of fooling around with that silly private address space nonsense, they just went allocating /8 blocks devil-may-care, one for each office, and I'll just say there were more than ten of them. Oddest bit was, nobody really seemed to notice all that much, except for the few odd folks who'd try to visit their alma mater's website and met with frustration every time. 128/8 and 129/8 were mysteriously always unavailable.
So 69/8 is blacked out? Ah, big deal. At least the dba can get to Oracle's website now. 192/8 was an office with about 60 people, if you can believe that. Strange folks out there setting up networks. Shield your young.
Last year I had to rush over to a client to look at why they couldn't send email with their lawyers and, ironically, the firm I worked for (which was an on-going issue).
Turns out that a previous admin blocked all the "reserved" nets, including the 65/8 net which the lawyers and my firm were in.
Blocking these seems like a good idea, but it tends to get neglected and only causes problems in practice.
Silly ph1ux, you can't use CIDR and class together. The purpose of CIDR is to provide more network granularity than the octet-centric 'class' based approach - see this little guide on subnetting and CIDR Blocks.
Have you ever had a IP address that you just couldn't get to, though you were positive that it was up and online?
So... you go over to a friend's (or for those who can , SSH to an alternate machine) and the IP is accessible. You know the site is available, so you spend a lot of time in the firewall settings, even opening the firewall entirely... but still no luck.
I had this problem with my ISP, and finally traced it to that 66.xx.xx.xx IP addresses were unreachable (including redhat.com, very annoying), but only when I was on a certain bank of dynamically assigned IP's. Releasing my IP and leaving the PC off overnight used to solve the problem.
For awhile, it was occuring after I got a dedicated IP as well. When I called my ISP on this, they told me to reboot my modem, let it sit off for about 15, and then restart. Try explaining to low-tier tech support about how downtime is bad when you run a server.
Luckily, all is fixed now, since I've moved to another city (same ISP, but no problems), but I wonder if this problem is related to base ISP-side filtering, or if anyone else has experienced it. At one time, I had a box with a non 66.xx.xx.xx IP and a box with a 66.xx.xx.xx IP and they couldn't even talk to each other properly, though both could get online without a problem!
They were filtered because prior to being allocated the only uses for them were nefarious in nature (basically spoofing). If everyone did proper egrees filtering this wouldn't be necessary.
There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
No, that's not insightful. -1, Stupid Moderators.
There are several reasons why blocks are reserved by ARIN. Some of them are reserved because they fall on classful routing boundaries, some were reserved based on wanting to keep contiguous space free for various purposes including but not limited to RIPE and APNIC allocations, allowing flexibinity for large network to renumber out of non-contiguius space, etc.
Don't think I'm sticking up for ARIN. Their policies are poor, mostly undocumentated in their actual application, and their customer service sucks.
Do not fold, spindle or mutilate.
Jon Lewis setup a nice utility to test if your network is affected by outdated filters.
http://69box.atlantic.net/
It includes a nifty traceroute utility that you can use to test with.
As a holder of space in the 69/8 range, I'll admit the problem is annoying, but thanks to people like Jon, and this posting on Slashdot, hopefully it will go away.
"The 69/8 Networking Problem"
When I first read that, I thought 69/8 was a reference to my boss's sense of time. "To beat the competition, you must work 69 hours a day, 8 days a week!"
Man I hate crunch time.
I was originally going to propose this for 126/8, but this netblock seems more appropriate. ARIN should take 69/8 back and re-assign it specifically for the purpose of spammers and their hosting services. Make it illegal (like maybe a death penalty) for doing any spamming or hosting any spammers unless it's done from this block of address space.
now we need to go OSS in diesel cars
Some countries only get a sinle /24 network. The IPv4 space is full of huge differences in per capita allocations. There are tons of cases where huge corporations and universities have hundreds or thousands of times more unused addresses than used addresses. IPv4 routing tables would get unmanageable if you tried finer grained allocation, but there is little objective reason why MIT needs 16 million public IP addresses. When you have several hundred IP addresses per person, it's no wonder the MIT Media Lab comes up with ideas like IP-enabled tennis shoes.
Copyright Violation:"theft, piracy"::Anti-Trust Violation:"thermonuclear price terrorism"<-Overly dramatic language.