Skip to Content.
Sympa Menu

wg-multicast - Re: bogon SAs from UC Davis?

Subject: All things related to multicast

List archive

Re: bogon SAs from UC Davis?


Chronological Thread 
  • From: Ge Moua <>
  • To: Todd Chapman <>,
  • Subject: Re: bogon SAs from UC Davis?
  • Date: Tue, 08 Feb 2011 13:19:36 -0600
  • Organization: University of Minnesota

looks better now; SAs from your AS way down.

--
Regards,
Ge Moua

Network Design Engineer
University of Minnesota | OIT - NTS
2218 University Ave SE
Minneapolis, MN 55414-3029
Email:

| Office: 612.626.2779
--


On 2/8/11 1:14 PM, Todd Chapman wrote:
We still have not heard from the PlanetLab folks, but we have blocked the SAs
from that subnet. Let me know if anyone is still having issues with BAD
Planetlab.

Todd

-----Original Message-----
From:


[mailto:]
On Behalf Of Brent Sweeny
Sent: Tuesday, February 08, 2011 11:10 AM
To:

Cc:

Subject: Re: bogon SAs from UC Davis?

I forwarded this to some I2 folks who should respond.

On 2/8/2011 1:31 PM, Ge Moua wrote:
would someone from I2 respond back about Bill's comments and if so, can
this be updated on I2 mcast url?

--
Regards,
Ge Moua

Network Design Engineer
University of Minnesota | OIT - NTS
2218 University Ave SE
Minneapolis, MN 55414-3029
Email:

| Office: 612.626.2779
--


On 2/8/11 12:26 PM, Bill Owens wrote:
On Tue, Feb 08, 2011 at 10:13:51AM -0800, Eli Dart wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

we're still seeing SA thresholds kick in (we warn at 125k SAs).

Any chance folks might be interested in putting bogon filters on MSDP?
A huge amount of this is for unallocated space....
The Internet2 Visible Network configs page is not responding right
now, but here's a copy of their filter from a couple of years ago:

policy-statement MSDP-FILTER {
term bad-groups {
from {
route-filter 224.0.1.2/32 exact;
route-filter 224.0.1.3/32 exact;
route-filter 224.0.1.8/32 exact;
route-filter 224.0.1.22/32 exact;
route-filter 224.0.1.24/32 exact;
route-filter 224.0.1.25/32 exact;
route-filter 224.0.1.35/32 exact;
route-filter 224.0.1.39/32 exact;
route-filter 224.0.1.40/32 exact;
route-filter 224.0.1.60/32 exact;
route-filter 224.0.2.1/32 exact;
route-filter 224.0.2.2/32 exact;
route-filter 224.77.0.0/16 orlonger;
route-filter 225.1.2.3/32 exact;
route-filter 226.77.0.0/16 orlonger;
route-filter 229.55.150.208/32 exact;
route-filter 234.42.42.40/30 orlonger;
route-filter 234.142.142.42/31 orlonger;
route-filter 234.142.142.44/30 orlonger;
route-filter 234.142.142.48/28 orlonger;
route-filter 234.142.142.64/26 orlonger;
route-filter 234.142.142.128/29 orlonger;
route-filter 234.142.142.136/30 orlonger;
route-filter 234.142.142.140/31 orlonger;
route-filter 234.142.142.142/32 exact;
route-filter 232.0.0.0/8 orlonger;
route-filter 239.0.0.0/8 orlonger;
}
then reject;
}
term bad-sources {
from {
source-address-filter 10.0.0.0/8 orlonger;
source-address-filter 127.0.0.0/8 orlonger;
source-address-filter 172.16.0.0/12 orlonger;
source-address-filter 192.168.0.0/16 orlonger;
}
then reject;
}
term bad-planetlab {
from {
source-address-filter 198.32.154.179/32 exact;
source-address-filter 198.32.154.187/32 exact;
source-address-filter 198.32.154.195/32 exact;
source-address-filter 198.32.154.202/32 exact;
source-address-filter 198.32.154.210/32 exact;
source-address-filter 198.32.154.218/32 exact;
source-address-filter 198.32.154.226/32 exact;
source-address-filter 198.32.154.235/32 exact;
source-address-filter 198.32.154.243/32 exact;
source-address-filter 198.32.154.250/32 exact;
}
then reject;
}
term allow {
then accept;
}

I had never noticed the 'bad-planetlab' section before and I don't
know whether that's still in the current config. Perhaps it needs to
be made larger. . .

Bill.



Archive powered by MHonArc 2.6.16.

Top of Page