Slashdot Mirror

← Back to Stories (view on slashdot.org)

The 69/8 Networking Problem

Posted by ryuzaki0 on from the modular-arithmetic dept.

jaredmauch writes "A number of networking providers who receive address space from ARIN have been having problems with their recent IP space allocations. This is a result of outdated filters that applied a few years ago during the boom time of the net, but have not been updated to reflect the current state of the network. Here is a paper that documents some of the problems this filtering is causing providers."

28 of 182 comments (clear)

  1. Devalued IP Space? by numbski · · Score: 4, Insightful

    I'm just looking over this, since I'm looking to purchase some IP's from my upstream provider. It seems to be that these IP's are somewhat devalued since areas of the net have blacklisted them.

    Sort of like a tarnished credit record I guess. This IP's won't be of the greatest value for a few years until the rest of the net catches up.

    The IP's would be for home broadband use too. I'll be personally avoiding that IP range. :(

    --

    Karma: Chameleon (mostly due to the fact that you come and go).

    1. Re:Devalued IP Space? by Sandman1971 · · Score: 4, Interesting

      Sure you can. But you also have to remember that most backbone providers will not accept BGP advertisements smaller than /19 (32 Class Bs). To get that kind of range at Arin, you have to prove something like 75% utilisation now, and up to 100% utilisation within 3 months. So unless you're an ISP/backbone/server/web farm or a big company, you'll have a tough time proving you need 8 class Bs.

      --
      It's better to burn out than to fade away
  2. I have a 69/8 address by DetrimentalFiend · · Score: 5, Interesting

    ...and although most places have finally gotten their act together, this is still a bit of a problem for us. Our ISP has been working quite hard to get people to update their filters (the ISP was one of the first to get addresses in this space), but it's still a bit of a problem. Hopefully being on the front page of slashdot will help the problem some.

  3. Roll on IPv6 by The+Real+Chrisjc · · Score: 5, Interesting

    I would love everything to be IPv6 now, but it ain't gonna happen for atleast 10 years I think. Even new equipment hasn't got IPv6 :(
    That would solve problems like this, and create lots of lovely new ones :/

    If only the world was perfect eh?

    1. Re:Roll on IPv6 by silas_moeckel · · Score: 4, Informative

      Your not going to see IPV6 untill they figure out how to bill for multicast traffic as it's REQUIRED to work inside IPv6 not optional like under v4. This is a HUGE problem in implementing it as you cant bill for it rationaly. How much sould it cost are home users going to be billed per megabit leaving there ISP? If multicast works lots of the current issues with the net can go away think bit torrent is fast think about file send loops via multicast just join as many as you have bandwith to receive. All of the routers etc etc out there have supported IPv6 for a long time I cant say that people are realy familiar with it but it could be made to work but you NEED to be able to fit a billing plan around it before any of the big guys are going ot make it work world wide.

      --
      No sir I dont like it.
    2. Re:Roll on IPv6 by rusty0101 · · Score: 5, Insightful

      What new equipment does not support IPv6?

      BSD, Linux, MacOS X, and Windows XP, all have support for IPv6 in their network stack. Current Cisco IOS supports IPv6.

      There are some applications that go too far into the network stack to properly support IPv6, but those are applications.

      The main stumbling block to IPv6 that I see right now is that very few network people in the US know how to use it. Outside of the US, both in Europe and Asia, IPv6 is being deployed fairly widely, as they do not have the IPv4 address space availabable and allocated to make use of it except in servers and routers.

      As there are several gateways available, to allow IPv6 clients to access IPv4 servers, I suspect that the demand upone US providers to start supporting IPv6 devices is going to be long in comming.

      With 10 devices in my house that support IP, (live at the moment, several others not currently powered up) I would exceed the available IP addresses my ISP account allows. As a result I am effectively forced to use NAT and private IP address space, even if my ISP would rather I did not. On top of that I don't want to keep a bunch of systems widely available to script kiddies. IPv6 would not solve that problem.

      Then again, that's probably just all opinion on my part.

      -Rusty

      --
      You never know...
  4. Not surprising by Anonymous Coward · · Score: 4, Interesting

    Frankly this isn't a big surprise. If IANA gave up another previously reserved netblock like 0.0.0.0/8, 96.0.0.0/4, 112.0.0.0/5, 120.0.0.0/6, 124.0.0.0/7, 126.0.0.0/8 or the plethora of other reserved netblocks then they should expect peeps to still have them blacklisted in their personal ACLs. This is only common sense. This isn't exactly news. IANA should have been very forthcoming and gone public with the fact that a previously reserved netblock was no longer reserved PRIOR to selling parts of it. How else would they expect admins like myself to know about the change?

    1. Re:Not surprising by gclef · · Score: 4, Insightful

      ARIN did notify the public. ARIN, RIPE, APNIC, etc are often announcing allocations to groups like NANOG. I don't see how much louder they could be. If you're filtering based on their reserved lists, it's your responsibility to keep up with their allocation updates.

      The problem is not the allocator's fault...at least, not directly. The problem is that lots of folks put in filters based on the bogon list at the time of their firewall/soho router install, and promptly forget about the fact that those filters should change (or, more likely, the consultant left).

      There's nothing that ARIN, IANA or anyone else can do to enforce clue at the edge of a network. Hence the problem. If you're not prepared to keep up with groups like NANOG, don't filter unallocated space.

    2. Re:Not surprising by jmt9581 · · Score: 5, Funny

      Curse slashdot for making me wonder "I Am Not A What?" as I skimmed over this comment . . .

      While IANAL (linguist, not lawyer :) the namespace for acronyms is really becoming overcrowded. :)

      --

      My blog

    3. Re:Not surprising by lucifuge31337 · · Score: 4, Informative

      0.0.0.0/1 means any address between 0.0.0.1 and 255.255.255.254. 0.0.0.0/8 is much different, meaning any address between 0.0.0.1 and 0.255.255.254. So, basically what I'm saying is that it can mean "all IP addresses (in IPv4 space)" or it can denote a smaller subset of addresses beginning at 0.0.0.1, depending on what subnet mask is applied to it.

      The "problem" with using blocks like that are not technical....just like using addresses ending in .0 as valid IP space is also not a problem in the right network blocks.....it's broken sysadmin's understaning of IP that causes issues.

      Oh...and there that nasty problem of certian addresses lying on bondaries that cause routers that don't properly understand classless routing to choke, but honestly...how many edge device could possibly be out there that are that dated to still have that problem? At least how many that are in a backbone situation where their being broken would actually effect more than 10 people?

      --
      Do not fold, spindle or mutilate.
    4. Re:Not surprising by Wild+Wizard · · Score: 5, Informative

      handy link on 0.0.0.0

    5. Re:Not surprising by Michael+Hunt · · Score: 4, Informative

      It ain't just broken routers.

      I was recently assigned a /29 from my DSL ISP at home. Since the whole thing runs on NAT, this gives me 8 IPs not 6, since NAT ranges have no concept of 'broadcast' or 'network' addresses (which only have link-local significance, and there's no link.)

      Unfortunately, the /29 fell at the top of the /24 in question (202.59.108.248/29.) This means that 202.59.108.255 is one of the IPs which are being routed to my network. Cool, right?

      Wrong. Having configured static NAT between that IP address and a machine on the inside of the network (172.18.16.24, case in point,) the machine was reachable from Unix and Linux machines, but not from Windows boxes.

      Further testing reveals that Windows still uses classful logic to determine whether an IP is 'valid' or not. On attempting to ping 202.59.108.255 from a slew of windows 2000 boxes, tcpdump showed nothing on the other end. An identical test from a unix box showed that it worked just fine.

      --
      You're doing it wrong.
    6. Re:Not surprising by Alien+Being · · Score: 4, Informative

      "0.0.0.0/1 means any address between 0.0.0.1 and 255.255.255.254"

      Shouldn't that be "any address between 0.0.0.1 and 127.255.255.254?"

    7. Re:Not surprising by hardcode · · Score: 5, Funny

      IANAIANA

      I am not an internet assigned numbers authority

      hc

  5. This is a marketing issue by southpolesammy · · Score: 4, Insightful

    While the 69/8 netblock has been long known to be reserved, and has been subsequently been "used" by script kiddies and the like for DoS attacks, then if ARIN has decided to open that netblock for sale, then it is up to them to notify and market the netblock as no longer being reserved. Pretty simple actually. This is a case where a non-technical solution is ideal to address what has been a technical problem.

    If ARIN isn't doing that, then shame on them. If they are doing that, and we're just ignorant of it, them shame on us.

    --
    Rule #1 -- Politics always trumps technology.
  6. Love those dusty old filters... by PZona · · Score: 5, Insightful

    I sometimes wonder, given all the tech layoffs in the last two years, if half the 'net was left running on autopilot. Keeping the filters up to date with current practices would be a lot more likely if there was an adequate number of admins left to man the guns.

  7. Re:Could someone explain this by jaredmauch · · Score: 4, Informative

    We have a few things that happened here I believe. Denial of service attacks lead the reason people would filter out 'unallocated' space. A bunch of people just used rand() to generate fake source IPs to DoS from. Dropping from unallocated or unrouted space has become commonplace as it can prevent that extra little bit of packets from reaching your firewall/router/end host. It can make the difference for some people being able to survive an attack and not. The "dot com" bubble that burst created a lot of devices that used to be cared about deeply and now are ignored by the suits as the network is too stable and runs itself. This is both good and bad. As the network becomes more reliable more people start using VoIP and other technologies that reduce costs. Problem is this ends up causing jobs to be lost. (VoIP aside, if you take 250mil phone calls all going on at the same time, using 64k per call, you've got ~16Gb/s of traffic. Most of the international backbones can easily handle this traffic. What does this mean for the existing PSTN networks once the IP networks are more reliable.) People are just busy. I know that I sometimes lag in updating software on my systems unless it's necessary. Imagine the people who think "hey, i need to update these filters" but never get around to it.

  8. exactly by ArchieBunker · · Score: 4, Interesting

    Theres a ton of companies sitting on class A blocks and doing nothing with them. Anything from 4.0.0.0 and up is hardly used. Redistribute these as a temporary solution until IPv6 is mainstream.

    --
    Only the State obtains its revenue by coercion. - Murray Rothbard
    1. Re:exactly by marvinglenn · · Score: 4, Informative
      Theres a ton of companies sitting on class A blocks and doing nothing with them. Anything from 4.0.0.0 and up is hardly used. Redistribute these as a temporary solution until IPv6 is mainstream.

      Exactly. Here are a few of the class A's that I don't see valid reason for the holder of them to have a block of such size:

      019/8 Ford Motor Company (a car company)

      040/8 Eli Lily and Company (a drug company)

      048/8 Prudential Securities Inc. (an insurance company)

      051/8 Deparment of Social Security of UK (a government department in a relatively small country that has a ridiculously unproportional share)

      056/8 U.S. Postal Service (the opposite of email)

      There are a handful more which you can see here: http://www.iana.org/assignments/ipv4-address-space

      The fact that these companies are cyber-squatting on more than they could resonably need torques me off to the point that, if I run out of unroutables (10/8, 192.168/16, etc) for my intranetworking, I'm going to lay claim to a block or two of those class A's for my intranet and firewall them [existing squatters] off to the outside.

      --
      The whores get mad when the sluts give it away for free.
  9. I've got a better solution... by Dimensio · · Score: 4, Funny

    Find the Internet's most notorious spam-supporting ISPs, like Qwest and Verio and anything in China or Brazil. Revoke all of their allocated IP space and give it to ISPs requesting new IP allocations, then redistribute the 69/8 IP addresses to Verio, Qwest, etc. That way no one will need to update their filters.

    --
    STOP MISUSING APOSTROPHES, YOU MORONS!!!
  10. Re:Could someone explain this by Pharmboy · · Score: 4, Insightful

    Your raise a really good point. Also consider most major companies have cut IT staff to reduce costs, and most IT professionals have tolorated it because there are less jobs, meaning fewer people doing more work (and more burnout). I can easily see the lists not getting updated because "if it aint broke, dont fix it" mentality. Many ITs simply have plenty of other stuff to do, and if their company isn't hitting anything on 69/8 or vise versa, then it wont get fixed.

    Good upkeep? Maybe not. Best some can do under the circumstances? Probably. I have enough hell just keeping up with the relatively small amount of shit I have to keep up with, so I can sympathise.

    --
    Tequila: It's not just for breakfast anymore!
  11. Re:heh by _ph1ux_ · · Score: 4, Funny

    no no no - we're talking about networks here buddy. So its:

    Ping me, finger me, 69/8 me!

  12. 69/8? Screw 'em! by Anonymous+Struct · · Score: 5, Interesting

    When I started working for the company I'm working for, whose name shall remain unpublished, there was a bit of funny going on with the ip addressing schemes of our various offices. Instead of fooling around with that silly private address space nonsense, they just went allocating /8 blocks devil-may-care, one for each office, and I'll just say there were more than ten of them. Oddest bit was, nobody really seemed to notice all that much, except for the few odd folks who'd try to visit their alma mater's website and met with frustration every time. 128/8 and 129/8 were mysteriously always unavailable.

    So 69/8 is blacked out? Ah, big deal. At least the dba can get to Oracle's website now. 192/8 was an office with about 60 people, if you can believe that. Strange folks out there setting up networks. Shield your young.

  13. Re:How much?!! by bigberk · · Score: 4, Funny

    Silly ph1ux, you can't use CIDR and class together. The purpose of CIDR is to provide more network granularity than the octet-centric 'class' based approach - see this little guide on subnetting and CIDR Blocks.

  14. Re:Could someone explain this by lucifuge31337 · · Score: 4, Informative

    No, that's not insightful. -1, Stupid Moderators.

    There are several reasons why blocks are reserved by ARIN. Some of them are reserved because they fall on classful routing boundaries, some were reserved based on wanting to keep contiguous space free for various purposes including but not limited to RIPE and APNIC allocations, allowing flexibinity for large network to renumber out of non-contiguius space, etc.

    Don't think I'm sticking up for ARIN. Their policies are poor, mostly undocumentated in their actual application, and their customer service sucks.

    --
    Do not fold, spindle or mutilate.
  15. Testing 69/8 by Leme · · Score: 4, Informative

    Jon Lewis setup a nice utility to test if your network is affected by outdated filters.

    http://69box.atlantic.net/

    It includes a nifty traceroute utility that you can use to test with.

    As a holder of space in the 69/8 range, I'll admit the problem is annoying, but thanks to people like Jon, and this posting on Slashdot, hopefully it will go away.

  16. Boy I must be tired... by Anonvmous+Coward · · Score: 4, Funny

    "The 69/8 Networking Problem"

    When I first read that, I thought 69/8 was a reference to my boss's sense of time. "To beat the competition, you must work 69 hours a day, 8 days a week!"

    Man I hate crunch time.

  17. Allocation by karlm · · Score: 4, Funny
    Back in 1997, my MIT fraternity house had a /16 network in a house zoned to house 22 people. That's about 3,000 IP addresses per person or 16 IP addresses per square foot (a very crowded house, we moved to a much bigger house later). This is probably a world record for IPv4 address density. (The MIT low-cost residence might have beat us.) It appears that MIT has gone to routing only two /24s to the house now and left the other 254 /24s unallocated.

    Some countries only get a sinle /24 network. The IPv4 space is full of huge differences in per capita allocations. There are tons of cases where huge corporations and universities have hundreds or thousands of times more unused addresses than used addresses. IPv4 routing tables would get unmanageable if you tried finer grained allocation, but there is little objective reason why MIT needs 16 million public IP addresses. When you have several hundred IP addresses per person, it's no wonder the MIT Media Lab comes up with ideas like IP-enabled tennis shoes.

    --
    Copyright Violation:"theft, piracy"::Anti-Trust Violation:"thermonuclear price terrorism"<-Overly dramatic language.