Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Route filtering: Handle with Care Frank Salanitri – APNIC Tomoya Yoshida – NTT Communitations.

Published byByron Walton Modified over 9 years ago

Similar presentations

Presentation on theme: "1 Route filtering: Handle with Care Frank Salanitri – APNIC Tomoya Yoshida – NTT Communitations."— Presentation transcript:

1 1 Route filtering: Handle with Care Frank Salanitri – APNIC Tomoya Yoshida – NTT Communitations

2 2 Overview Background The problem APNIC Resource Quality Assurance BGP debogon project

3 3 Why IP addresses are blocked? IP address can get filtered for various reasons: Outdated bogon lists Past abusive behaviour Blacklist from spamming and DOS attacks Security/access policies

4 4 IP Filtering methods Route filtering Application filtering, esp. Mail Firewall filtering

5 5 The Problem Legitimate internet traffic fails to reach the destination due to outdated filters and black/bogon lists RIR seen as responsible for allocating ‘unusable’ blocks Situation worsens as free pool of IPv4 addresses reaches exhaustion New address blocks attract un-wanted levels of traffic from private-use domains, mis-configured equipment, and scanning activity. Prefixes get recycled

6 6 What you can do Manage bogon filtering responsibly To ensure that addresses are not mistakenly filtered through routers, it is important to keep router ACLs updated Keep informed about bogon filters and IANA allocations. Visit regularly: Team Cymru IANA

7 7 Resource Quality Assurance Community awareness campaign Build relationships with reputable organizations that maintain bogon/black list Education through publications and APNIC training materials Keep the Whois Database accurate Actively remind resource holders to update their data

8 8 Resource Quality Assurance APNIC acts to minimize any problems in routability through communication, training, and testing Testing for new /8 blocks NOC mailing lists notification Reachability test conducted in conjunction with RIPE NCC Collaborative testing

9 9

10 BGP debogon project Tomoya Yoshida NTT Communications yoshida@nttv6.jp

11 Your IP Address seen in the world My not always reach to every network ▫ Even though the ISPs advertise their customers IP blocks in stable of course… ▫ In case of the new IP allocation in particular We often encounter “(BGP) bogon filtering issue” 2010/8/25copiright (c) NTT Communications 11

12 Bogon, Bogon Route, Bogon Filtering ▫Bogon ▫Originated by the word bogus(False, Fake etc) ▫Bogon Route ▫prefix which is not advertised or must not to be advertised usually ▫Bogon filtering ▫Filtering Bogon Route by ISP’s border GW router generally, including contents filtering at server side 2010/8/25copiright (c) NTT Communications 12 Present useAddress Block Private Address (RFC1918) 10.0.0.0/8 、 172.16.0.0/12 、 192.168.0.0/16 Loopback Address127.0.0.0/8 Link Local Address169.254.0.0/16 TEST-NET192.0.2.0/24 Benchmark Test Address198.18.0.0/15 Multicast Address224.0.0.0/3 IANA ReserveNow /8 x14 ISP-BISP-A Custo mer 10.0.0.0/8 (accidentally)10.0.0.0/8 × (incoming ) bogon filtering

13 ESTA Problem 2010/8/25copiright (c) NTT Communications 13 https://esta.cbp.dhs.gov/

14 2 years ago… 2010/8/25copiright (c) NTT Communications 14 AS38639 (HANABI) ntt.net (AS2914) UUNet (AS701) DHS (AS15147) AS4713 (OCN) Development Research ASISP Commercial AS 10.0.0.0/8 172.16.0.0/16 … 115.0.0.0/8 116.0.0.0/8 … 10.0.0.0/8 172.16.0.0/16 … 115.0.0.0/8 116.0.0.0/8 … OKNG Bogon filtering issue Filtering table 115.69.224.0/21

15 One week advertisement of 14/8, 223/8 Recently whole x/8 advertisement is observed more often just after the IANA allocated to the RIRs those blocks ▫Investigation 1/8 pollution at first ▫Other x/8s are also investigated for the situations and checking the trend Overview of Investigation ▫Period : 19 th Apr 2010 ~ 26 th (1 week)  Allocation from IANA to APNIC : 10 th Apr 2010 ▫Prefixes : 14/8, 223/8 from AS38639(NTTCom) ▫Packet collecting way : tcpdump + netFlow sampling(Samurai) ▫Reachability check for those two blocks using routeview(router server) 2010/8/25copiright (c) NTT Communications 15

16 Per Protocol 2010/8/25copiright (c) NTT Communications 16 Normally 30Mbps ~ 50Mbps, it is like a normal traffic curve

17 Per Protocol and Port 2010/8/25copiright (c) NTT Communications 17 A half is tcp/445(Conficker, Downadup), second udp/1434(sql-slammer)

18 Per Origin_AS 2010/8/25copiright (c) NTT Communications 18 AS4134:ChinaNet AS3462:Hinet AS4837:CNCG AS8402:Corbina Tel AS3269:Telecom Italy

19 Per Destination IP 2010/8/25copiright (c) NTT Communications 19

20 Per Source IP ( bps ) 2010/8/25copiright (c) NTT Communications 20

21 Per Source IP ( pps ) 2010/8/25copiright (c) NTT Communications 21

22 Some Specific Packet (e.g.) 2010/8/25copiright (c) NTT Communications 22

23 Some Specific Packet (e.g.) 2010/8/25copiright (c) NTT Communications 23

24 Some Specific Packet (e.g.) 2010/8/25copiright (c) NTT Communications 24

25 Some Specific Packet (e.g.) 2010/8/25copiright (c) NTT Communications 25

26 Some Specific Packet (e.g.) 2010/8/25copiright (c) NTT Communications 26

27 14/8 Traffic to AS38639 2010/8/25copiright (c) NTT Communications 27

28 223/8 Traffic to AS38639 2010/8/25copiright (c) NTT Communications 28

29 { 27, 14, 223 } /8 reachability investigation ( 25 th Apr, 2010 ) 2010/8/25copiright (c) NTT Communications 29 - Approximately 20-30% are not reachable from new allocation IP immediately after new allocation from the IANA to the APNIC - There are differences between 14/8 and 223/8 even though the same allocation timing

30 IPv4 address space recently allocated by the IANA to the RIRs 10 /8 allocations to the RIRs, to APNIC, ARIN, RIPE, LACNIC (not AfriNIC) ▫20100119 #APNIC 001/8, 027/8 ▫20100212 #ARIN 050/8, 107/8 ▫20100411 #APNIC 014/8, 223/8 ▫20100511 #RIPE 031/8, 176/8 ▫20100603 #LACNIC 177/8, 181/8 ▫20100805 #APNIC 049/8, 101/8 2010/8/25copiright (c) NTT Communications 30 http://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.txt

31 1/8 reachability investigation ( 7 th Jun, 2010 ) 2010/8/25copiright (c) NTT Communications 31 Approximately 10% are not reachable even though 5 months later

32 1/8 reachability investigation ( 8 th Jul, 2010 ) 2010/8/25copiright (c) NTT Communications 32 No big changes one more month later…

33 RIPE Debogon Project 2010/8/25copiright (c) NTT Communications 33 http://www.ris.ripe.net/debogon/ Checking reachability per /8s in case of new allocation based on RIPE RIS routes

34 1.50.0.0/22 Reachability ( Feb.-Mar 2010 ) 2010/8/25copiright (c) NTT Communications 34

35 27.50.0.0/22 Reachability ( Feb.- Apr. 2010 ) 2010/8/25copiright (c) NTT Communications 35

36 May 2010 2010/8/25copiright (c) NTT Communications 36 http://www.ris.ripe.net/debogon/2010/05/in dex.shtml

37 {1,27}/8 reachability investigation from NTTCom AS38639 Checking 22581 Ases by ping reachability check ▫Results : Approximately 10% are unreachable  It’s similar to Routeview 、 RIPE debogon results ▫When assignment is begun to LIR, improving gradually 2010/8/25copiright (c) NTT Communications 37 15 th Apr. 20108 th Jun. 2010 27/8(new)203/8(old)1/8(new)203/8(old) # of Dest AS22581 # of Ping OK AS20086221671978721177 Diff249541427941404 % of NG11%2%12%6% Probably now it’s less than 10%

38 Checking (a part of) Blacklist 2010/8/25copiright (c) NTT Communications 38 39/72 2010/06/05 investigation 38/72 27.0.0.0/81.0.0.0/8 2010/04/15 investigation Approximately 50% is not reachable esta.cbp.dhs.gov www.2ch.net (bulletin board) www.mlb.com www.bbc.co.uk www.americanairlines.jp ・・・

39 1slash8 NW for 7/8-9 janog26 2010/8/25copiright (c) NTT Communications 39 c7201 AS38639 (NTTCom IAC) 1.200.0.1 Ebis janog26 conference hall radiu s Ebis NTTCom OCN (AS4713 ) ntt.net (AS2914 ) AS38639 Flets NTT East Flets NW Port 80 Port 443 NAT Router Thank you APNIC Staff SSID: slash8 10.0.1.1/24 10.0.1.2/2410.0.1.3/24

40 (A part of) reachability NG list from 1/8 netowrk only @ janog26 meeting http://www.metro.tokyo.jp/ http://www.sangiin.go.jp/ http://www.lottehotel.com/ http://www.xn--w22as22a.com/ http://www.mizuho-tb.co.jp/ http://www.mizuhocbk.co.jp/ http://www.alaxala.co.jp/ http://www.admission.jp/ http://www.clarion.com/ http://chizu-route-susumu.jp/ http://metacafe.com/ http://softonic.com/ http://gougou.com/ http://www.bbc.co.uk/ http://www.e-tokyo.lg.jp/ http://www.ebookjapan.jp/ http://www.nta.go.jp/ http://www.ietf.org/ (tools.ietf.org OK) 2010/8/25copiright (c) NTT Communications 40

41 1/8 usage ( by Routing Info ) 2010/8/25copiright (c) NTT Communications 41 Already used(routable) one third space in 1/8 but still not good conditions 1.X/16 (X:0-255) 2010/7/8 100% used less than 100% used Ping source block

42 Recent Allocation to AS4713 Network Information: [Network Number] 27.114.0.0/17 [Network Name] [Organization] NTT COMMUNICATIONS CORPORATION [Administrative Contact] AY1361JP [Technical Contact] KK551JP [Technical Contact] TS19037JP [Technical Contact] TT10660JP [Abuse]abuse@ocn.ad.jp [Allocated Date] 2010/07/12 [Last Update]2010/07/12 15:43:21(JST) 2010/8/25copiright (c) NTT Communications 42 27/8 allocation to APNIC : Jan. 2010

43 Recent Allocation to AS4713 2010/8/25copiright (c) NTT Communications 43 Network Information: [Network Number] 223.216.0.0/14 [Network Name] [Organization] NTT COMMUNICATIONS CORPORATION [Administrative Contact] AY1361JP [Technical Contact] KK551JP [Technical Contact] TS19037JP [Technical Contact] TT10660JP [Abuse]abuse@ocn.ad.jp [Allocated Date] 2010/07/12 [Last Update]2010/07/12 15:43:21(JST) 223/8 allocation to APNIC : Jan. 2010

44 New Allocation IP’s reachability investigation ( 16 th Jul, 2010) 2010/8/25copiright (c) NTT Communications 44 115/8 > 27/8 > 1/8, 14/8 223/8

45 Google search for “1.200.0.1” 2010/8/25copiright (c) NTT Communications 45

46 46 Thank you frank@apnic.net yoshida@nttv6.jp

Download ppt "1 Route filtering: Handle with Care Frank Salanitri – APNIC Tomoya Yoshida – NTT Communitations."

Similar presentations

Internet Number Resource Status Report As of 30 June 2005.

Internet Number Resource Status Report As of 30 June 2005.
IPv6: Paving the way for next generation networks Tuesday, 16 July 2013 Nate Davis Chief Operating Officer, ARIN.

IPv6: Paving the way for next generation networks Tuesday, 16 July 2013 Nate Davis Chief Operating Officer, ARIN.
Sofía Silva Berenguer lacnic.net Paramaribo - Surinam IPv4 Exhaustion And IPv6 Deployment.

Sofía Silva Berenguer lacnic.net Paramaribo - Surinam IPv4 Exhaustion And IPv6 Deployment.
IPv4 Depletion IPv6 Adoption 3 February 2011 0 /8s Remaining.

IPv4 Depletion IPv6 Adoption 3 February /8s Remaining.
10/6/116Watch Project 1 6Watch: Gauging the Global Rollout of IPv6 Dan Massey Dave Meyer Lixia Zhang Colorado State U. Oregon UCLA.

10/6/116Watch Project 1 6Watch: Gauging the Global Rollout of IPv6 Dan Massey Dave Meyer Lixia Zhang Colorado State U. Oregon UCLA.
IPv4 Run Out and Transitioning to IPv6 Marco Hogewoning Trainer, RIPE NCC.

IPv4 Run Out and Transitioning to IPv6 Marco Hogewoning Trainer, RIPE NCC.
1 Introduction Internet Protocol version 6 Presenter Veena Merz Manager Cisco Networking Area Academy.

1 Introduction "Internet Protocol version 6" Presenter Veena Merz Manager Cisco Networking Area Academy.
IPv4 Addresses. Internet Protocol: Which version? There are currently two versions of the Internet Protocol in use for the Internet IPv4 (IP Version 4)

IPv4 Addresses. Internet Protocol: Which version? There are currently two versions of the Internet Protocol in use for the Internet IPv4 (IP Version 4)
June 2013 Internet Number Resource Report. June 2013 Internet Number Resource Report INTERNET NUMBER RESOURCE STATUS REPORT As of 30 June 2013 Prepared.

June 2013 Internet Number Resource Report. June 2013 Internet Number Resource Report INTERNET NUMBER RESOURCE STATUS REPORT As of 30 June 2013 Prepared.
December 2013 Internet Number Resource Report. December 2013 Internet Number Resource Report INTERNET NUMBER RESOURCE STATUS REPORT As of 31 December.

December 2013 Internet Number Resource Report. December 2013 Internet Number Resource Report INTERNET NUMBER RESOURCE STATUS REPORT As of 31 December.
March 2014 Internet Number Resource Report. March 2014 Internet Number Resource Report INTERNET NUMBER RESOURCE STATUS REPORT As of 31 March 2014 Prepared.

March 2014 Internet Number Resource Report. March 2014 Internet Number Resource Report INTERNET NUMBER RESOURCE STATUS REPORT As of 31 March 2014 Prepared.
1 Overview of policy proposals Policy SIG Wednesday 26 August 2009 Beijing, China.

1 Overview of policy proposals Policy SIG Wednesday 26 August 2009 Beijing, China.
IPv6 Addressing – Status and Policy Report Paul Wilson Director General, APNIC.

IPv6 Addressing – Status and Policy Report Paul Wilson Director General, APNIC.
IPv4 Depletion and IPv6 Adoption Today Community Use Slide Deck Courtesy of ARIN May 2014.

IPv4 Depletion and IPv6 Adoption Today Community Use Slide Deck Courtesy of ARIN May 2014.
CSE5803 Advanced Internet Protocols and Applications (7) 1 7.1 Introduction The IP addressing scheme discussed in Chapter 2 are classful and can be summarised.

CSE5803 Advanced Internet Protocols and Applications (7) Introduction The IP addressing scheme discussed in Chapter 2 are classful and can be summarised.
Internet Operations and the RIRs. Overview ARIN and the Regional Internet Registry (RIR) System IP Number Resources, DNS and Routing IP Address Management.

Internet Operations and the RIRs. Overview ARIN and the Regional Internet Registry (RIR) System IP Number Resources, DNS and Routing IP Address Management.
IP Address Management The RIR System & IP policy

IP Address Management The RIR System & IP policy
Final Stages of IPv4 Distribution Guangliang Pan Resource Services Manager, APNIC.

Final Stages of IPv4 Distribution Guangliang Pan Resource Services Manager, APNIC.
A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E Database SIG APNIC Database Privacy Issues 1 March 2001 APRICOT, Malaysia Fabrina.

A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E Database SIG APNIC Database Privacy Issues 1 March 2001 APRICOT, Malaysia Fabrina.
A proposal to improve reachability of new IANA blocks Tomoya YOSHIDA NTT Communications

A proposal to improve reachability of new IANA blocks Tomoya YOSHIDA NTT Communications

Similar presentations

Ads by Google