wg-multicast - Re: bogon SAs from UC Davis?

Subject: All things related to multicast

List archive

Re: bogon SAs from UC Davis?

From: Bill Owens <>
To: Eli Dart <>
Cc: wg-multicast <>
Subject: Re: bogon SAs from UC Davis?
Date: Tue, 8 Feb 2011 13:26:09 -0500

On Tue, Feb 08, 2011 at 10:13:51AM -0800, Eli Dart wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> we're still seeing SA thresholds kick in (we warn at 125k SAs).
>
> Any chance folks might be interested in putting bogon filters on MSDP?
> A huge amount of this is for unallocated space....

The Internet2 Visible Network configs page is not responding right now, but
here's a copy of their filter from a couple of years ago:

policy-statement MSDP-FILTER {
term bad-groups {
from {
route-filter 224.0.1.2/32 exact;
route-filter 224.0.1.3/32 exact;
route-filter 224.0.1.8/32 exact;
route-filter 224.0.1.22/32 exact;
route-filter 224.0.1.24/32 exact;
route-filter 224.0.1.25/32 exact;
route-filter 224.0.1.35/32 exact;
route-filter 224.0.1.39/32 exact;
route-filter 224.0.1.40/32 exact;
route-filter 224.0.1.60/32 exact;
route-filter 224.0.2.1/32 exact;
route-filter 224.0.2.2/32 exact;
route-filter 224.77.0.0/16 orlonger;
route-filter 225.1.2.3/32 exact;
route-filter 226.77.0.0/16 orlonger;
route-filter 229.55.150.208/32 exact;
route-filter 234.42.42.40/30 orlonger;
route-filter 234.142.142.42/31 orlonger;
route-filter 234.142.142.44/30 orlonger;
route-filter 234.142.142.48/28 orlonger;
route-filter 234.142.142.64/26 orlonger;
route-filter 234.142.142.128/29 orlonger;
route-filter 234.142.142.136/30 orlonger;
route-filter 234.142.142.140/31 orlonger;
route-filter 234.142.142.142/32 exact;
route-filter 232.0.0.0/8 orlonger;
route-filter 239.0.0.0/8 orlonger;
}
then reject;
}
term bad-sources {
from {
source-address-filter 10.0.0.0/8 orlonger;
source-address-filter 127.0.0.0/8 orlonger;
source-address-filter 172.16.0.0/12 orlonger;
source-address-filter 192.168.0.0/16 orlonger;
}
then reject;
}
term bad-planetlab {
from {
source-address-filter 198.32.154.179/32 exact;
source-address-filter 198.32.154.187/32 exact;
source-address-filter 198.32.154.195/32 exact;
source-address-filter 198.32.154.202/32 exact;
source-address-filter 198.32.154.210/32 exact;
source-address-filter 198.32.154.218/32 exact;
source-address-filter 198.32.154.226/32 exact;
source-address-filter 198.32.154.235/32 exact;
source-address-filter 198.32.154.243/32 exact;
source-address-filter 198.32.154.250/32 exact;
}
then reject;
}
term allow {
then accept;
}

I had never noticed the 'bad-planetlab' section before and I don't know
whether that's still in the current config. Perhaps it needs to be made
larger. . .

Bill.

Re: bogon SAs from UC Davis?, (continued)
- Re: bogon SAs from UC Davis?, Bill Owens, 02/08/2011
  - Re: bogon SAs from UC Davis?, Ge Moua, 02/08/2011
  - Re: bogon SAs from UC Davis?, Eli Dart, 02/08/2011
    - Re: bogon SAs from UC Davis?, Bill Owens, 02/08/2011
      - Re: bogon SAs from UC Davis?, Eli Dart, 02/08/2011
        
        Re: bogon SAs from UC Davis?, Laura Kristoff, 02/08/2011
        
        Re: bogon SAs from UC Davis?, Bill Owens, 02/08/2011
        
        Re: bogon SAs from UC Davis? (and elsewhere), Bill Owens, 02/08/2011
        
        Re: bogon SAs from UC Davis? (and elsewhere), Alan Buxey, 02/08/2011
        
        Re: bogon SAs from UC Davis?, Chris Costa, 02/08/2011
    - Re: bogon SAs from UC Davis?, Bill Owens, 02/08/2011
      - Re: bogon SAs from UC Davis?, Ge Moua, 02/08/2011
        
        Re: bogon SAs from UC Davis?, Bill Owens, 02/08/2011
        
        Re: bogon SAs from UC Davis?, Brent Sweeny, 02/08/2011
        
        RE: bogon SAs from UC Davis?, Todd Chapman, 02/08/2011
        
        Re: bogon SAs from UC Davis?, Ge Moua, 02/08/2011
        
        Re: bogon SAs from UC Davis?, Eli Dart, 02/08/2011
      - Re: bogon SAs from UC Davis?, Leonard Giuliano, 02/08/2011
  - RE: bogon SAs from UC Davis?, Todd Chapman, 02/08/2011

List archive

Re: bogon SAs from UC Davis?