wg-multicast - Re: bogon SAs from UC Davis?
Subject: All things related to multicast
List archive
- From: Eli Dart <>
- To: Todd Chapman <>
- Cc: "" <>
- Subject: Re: bogon SAs from UC Davis?
- Date: Tue, 08 Feb 2011 11:42:05 -0800
- Organization: Energy Sciences Network
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
We're no longer seeing threshold alarms.
Many thanks!
--eli
On 2/8/11 11:14 AM, Todd Chapman wrote:
> We still have not heard from the PlanetLab folks, but we have blocked the
> SAs from that subnet. Let me know if anyone is still having issues with BAD
> Planetlab.
>
> Todd
>
> -----Original Message-----
> From:
>
>
> [mailto:]
> On Behalf Of Brent Sweeny
> Sent: Tuesday, February 08, 2011 11:10 AM
> To:
>
> Cc:
>
> Subject: Re: bogon SAs from UC Davis?
>
> I forwarded this to some I2 folks who should respond.
>
> On 2/8/2011 1:31 PM, Ge Moua wrote:
>> would someone from I2 respond back about Bill's comments and if so, can
>> this be updated on I2 mcast url?
>>
>> --
>> Regards,
>> Ge Moua
>>
>> Network Design Engineer
>> University of Minnesota | OIT - NTS
>> 2218 University Ave SE
>> Minneapolis, MN 55414-3029
>> Email:
>>
>> | Office: 612.626.2779
>> --
>>
>>
>> On 2/8/11 12:26 PM, Bill Owens wrote:
>>> On Tue, Feb 08, 2011 at 10:13:51AM -0800, Eli Dart wrote:
>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>> Hash: SHA1
>>>>
>>>> we're still seeing SA thresholds kick in (we warn at 125k SAs).
>>>>
>>>> Any chance folks might be interested in putting bogon filters on MSDP?
>>>> A huge amount of this is for unallocated space....
>>> The Internet2 Visible Network configs page is not responding right
>>> now, but here's a copy of their filter from a couple of years ago:
>>>
>>> policy-statement MSDP-FILTER {
>>> term bad-groups {
>>> from {
>>> route-filter 224.0.1.2/32 exact;
>>> route-filter 224.0.1.3/32 exact;
>>> route-filter 224.0.1.8/32 exact;
>>> route-filter 224.0.1.22/32 exact;
>>> route-filter 224.0.1.24/32 exact;
>>> route-filter 224.0.1.25/32 exact;
>>> route-filter 224.0.1.35/32 exact;
>>> route-filter 224.0.1.39/32 exact;
>>> route-filter 224.0.1.40/32 exact;
>>> route-filter 224.0.1.60/32 exact;
>>> route-filter 224.0.2.1/32 exact;
>>> route-filter 224.0.2.2/32 exact;
>>> route-filter 224.77.0.0/16 orlonger;
>>> route-filter 225.1.2.3/32 exact;
>>> route-filter 226.77.0.0/16 orlonger;
>>> route-filter 229.55.150.208/32 exact;
>>> route-filter 234.42.42.40/30 orlonger;
>>> route-filter 234.142.142.42/31 orlonger;
>>> route-filter 234.142.142.44/30 orlonger;
>>> route-filter 234.142.142.48/28 orlonger;
>>> route-filter 234.142.142.64/26 orlonger;
>>> route-filter 234.142.142.128/29 orlonger;
>>> route-filter 234.142.142.136/30 orlonger;
>>> route-filter 234.142.142.140/31 orlonger;
>>> route-filter 234.142.142.142/32 exact;
>>> route-filter 232.0.0.0/8 orlonger;
>>> route-filter 239.0.0.0/8 orlonger;
>>> }
>>> then reject;
>>> }
>>> term bad-sources {
>>> from {
>>> source-address-filter 10.0.0.0/8 orlonger;
>>> source-address-filter 127.0.0.0/8 orlonger;
>>> source-address-filter 172.16.0.0/12 orlonger;
>>> source-address-filter 192.168.0.0/16 orlonger;
>>> }
>>> then reject;
>>> }
>>> term bad-planetlab {
>>> from {
>>> source-address-filter 198.32.154.179/32 exact;
>>> source-address-filter 198.32.154.187/32 exact;
>>> source-address-filter 198.32.154.195/32 exact;
>>> source-address-filter 198.32.154.202/32 exact;
>>> source-address-filter 198.32.154.210/32 exact;
>>> source-address-filter 198.32.154.218/32 exact;
>>> source-address-filter 198.32.154.226/32 exact;
>>> source-address-filter 198.32.154.235/32 exact;
>>> source-address-filter 198.32.154.243/32 exact;
>>> source-address-filter 198.32.154.250/32 exact;
>>> }
>>> then reject;
>>> }
>>> term allow {
>>> then accept;
>>> }
>>>
>>> I had never noticed the 'bad-planetlab' section before and I don't
>>> know whether that's still in the current config. Perhaps it needs to
>>> be made larger. . .
>>>
>>> Bill.
- --
Eli Dart NOC: (510) 486-7600
ESnet Network Engineering Group (AS293) (800) 333-7638
Lawrence Berkeley National Laboratory
PGP Key fingerprint = C970 F8D3 CFDD 8FFF 5486 343A 2D31 4478 5F82 B2B3
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (Darwin)
iEYEARECAAYFAk1RnIwACgkQLTFEeF+CsrMjvwCgpTBZPxNEVVT5vvpppRqAT11y
r8IAoI5c3nmTcZ4WIpUYPGBq7tUBiEgJ
=HVxN
-----END PGP SIGNATURE-----
- Re: bogon SAs from UC Davis?, (continued)
- Re: bogon SAs from UC Davis?, Bill Owens, 02/08/2011
- Re: bogon SAs from UC Davis? (and elsewhere), Bill Owens, 02/08/2011
- Re: bogon SAs from UC Davis? (and elsewhere), Alan Buxey, 02/08/2011
- Re: bogon SAs from UC Davis? (and elsewhere), Bill Owens, 02/08/2011
- Re: bogon SAs from UC Davis?, Chris Costa, 02/08/2011
- Re: bogon SAs from UC Davis?, Bill Owens, 02/08/2011
- Re: bogon SAs from UC Davis?, Ge Moua, 02/08/2011
- Re: bogon SAs from UC Davis?, Bill Owens, 02/08/2011
- Re: bogon SAs from UC Davis?, Brent Sweeny, 02/08/2011
- RE: bogon SAs from UC Davis?, Todd Chapman, 02/08/2011
- Re: bogon SAs from UC Davis?, Ge Moua, 02/08/2011
- Re: bogon SAs from UC Davis?, Eli Dart, 02/08/2011
- RE: bogon SAs from UC Davis?, Todd Chapman, 02/08/2011
- Re: bogon SAs from UC Davis?, Leonard Giuliano, 02/08/2011
- Re: bogon SAs from UC Davis?, Ge Moua, 02/08/2011
- RE: bogon SAs from UC Davis?, Todd Chapman, 02/08/2011
- Re: bogon SAs from UC Davis?, Bill Owens, 02/08/2011
Archive powered by MHonArc 2.6.16.