Resource quality assurance

APNIC recognizes that as the IANA IPv4 address space pool has been exhausted, there may be increasing community concern about the quality of the recently allocated address blocks made available for distribution. Regional Internet Registries (RIRs), such as APNIC, have no control about how addresses are administered, routed or filtered by the network operators. The routability of address space throughout the Internet can never be guaranteed by any single organization.

It is important that your technical personnel employ responsible network administration practices to protect users from abuse and security attacks, while allowing legitimate traffic to flow and reach its intended destination.

APNIC acts to minimize any routability problems through communication, training, and t esting through Resource Quality Assurance activities.


What is a bogon address?

There are different definitions available. The word bogon, when applied to the context of IP addresses, refers to the property of an IP address to be bogus.

According to Geoff Huston in his article “Hunting the bogon”, Bogon refers to “the use of an address or, more generally a route object, that is not duly authorized by the entity to which the address, or resource, was originally assigned”. Huston defines two kinds of bogon objects in the inter-domain space:

  • The advertisement of IP addresses
  • The use of Autonomous System numbers within the AS Path attribute.

The areas of unallocated address space are called bogon space. As IP addresses are allocated daily all over the world, IP addresses that are bogon today may not be bogon tomorrow, and this is especially important to consider, now that the only unallocated blocks of IPv4 left in the Asia Pacific region, are the 'Final /8' allocations.

IANA allocated address space to the RIRs, which in turn allocated and assigned that space to network operators in their respective regions. These new delegations were announced through network operators' mailing lists to ensure that operators had a chance to remove bogon filtering for addresses that have become legitimate. IANA maintains a list of allocated and reserved IPv4 address blocks for reference.

To learn more about how IANA decided which blocks were allocated to each RIR, see this blog post, written by Leo Vegoda.

Bogons are not the same as reserved and private address ranges.

 

 

Why were bogons filtered in the past?

Network operators used bogon filters trying to protect the integrity of the Internet's address space from unauthorized use. Bogon filtering was used to prevent and react against Distributed Denial of Service (DDoS) attacks and as a component of anti-spoofing filtering. Bogons were filtered by using router Access Control Lists (ACLs), or by BGP blackholing as the list of bogon addresses changes each time address blocks are allocated from IANA.
 
 

If bogon filtering was a common practice before, why are we experiencing problems associated with this now?

To ensure that addresses are not mistakenly filtered through routers, it is important that network administrators keep their routers’ ACLs updated. If the filters are not frequently updated, they could block legitimate traffic trying to enter the network. Out-of-date filters will continuously break connectivity for network users.

As Leo Vegoda (ICANN) states in this IETF document, "Now that there are no longer any unallocated IPv4 /8s, this practice is more complicated, fragile and expensive. Network administrators are advised to remove filters based on the registration status of the address space." 

 

What happens to the bogon list now that all IANA IPv4 addresses have been distributed?

This means there are no more IPv4 bogon blocks, making bogon filtering unnecessary.

 
 

Do I have to put filters on bogon or non-allocated IPv4 address blocks?

There are no unallocated blocks left in the IANA pool. The only unallocated blocks of IPv4 addresses left in the Asia Pacific region, are the 'Final /8' allocations. If you can’t commit to maintaining your filters updated on a daily basis to reflect the latest allocations, it’s best not to filter address blocks. IPv4 addresses all over the world will be fully distributed in the near future, and you don’t want to accidentally block legitimate traffic from newly distributed address blocks.

 
 

How do I confirm that my addresses are filtered?

If you think your address blocks have been filtered, it is very important to determine how your IP addresses are being blocked.

  • Are emails not reaching their intended destination?
  • Can’t access specific web services?
  • Can you identify how many sites or IP addresses are blocking you?
  • Are you using your own AS number?
  • How is your network structured?
  • How is your network announced, have you communicated with your upstream provider and peers?

This information will help you to determine where the blocking occurs, and allow your technical personnel to take appropriate steps to address the problem:

Run a traceroute to see if the new IP is consistently blocked along the same network path.  It is also advisable to test forward and reverse paths.  The use of technology like the Routing Information Service (RIS) is highly recommended to assist in identifying routing conditions for prefixes under test. RIS is a RIPE NCC project that collects and stores Internet routing data from several locations around the globe. RIS offers tools that bring analysis of this data back to the Internet community. One of the services they provide is De-Bogonising New Address Blocks allows you to test reachability and view statistics for the visibility of new address blocks over the Internet.

Do a search on your IP address and contact those organizations that appear to be blocking you.  You may be blocked by a technology called DNSBL, due to the activity of one of your customers.

Your own firewall might be blocking the new IP addresses by default, if you set up your servers to block bogon IP ranges.  To avoid blocking potential new customers, stay on top of the changes to that list as new IP ranges are continually released.

Use a looking glass service as part of the diagnostic tool set to detect network filters.

 

What is route filtering?

Network operators may choose to apply various filters to certain routes to exclude them from the local route database or to keep them from being announced at all. There are several reasons why these filters are used in current and past practices.

What is firewall filtering?

Firewalls are designed to either permit or deny network transmissions based on defined rules designed to protect networks from unauthorized access, while letting legitimate traffic through. Firewall filtering requires constant adjustments to reflect changes in security policy, threats, and address holdings. Different types of firewall solutions can be implemented and offer different benefits.

Why should you use caution when applying email filters?

Email filtering is the manual or automatic processing of incoming emails to organize them according to set criteria and removal of spam and computer viruses. Email filtering becomes problematic when a blacklisted IP address is transferred to a new network, causing inappropriate email blocking.

Can I return my address block to APNIC if reachability problems are identified?

No. You should contact the networks that are blocking your addresses and request that they remove the filter that is affecting your network traffic. Look up their contact address in the relevant RIR whois database. If the contact address is invalid, please notify the appropriate registry.

 
 

What relevant information sources should I monitor?

  • The Internet Assigned Numbers Authority (IANA) is responsible for global coordination of the Internet Protocol addressing systems, as well as the Autonomous System Numbers used for routing Internet traffic. IANA maintain comprehensive announcements of allocated address space.

  • The CIDR report is a collection of report files that summarize the allocation status of the IPv4 address space and the Autonomous Number space. The report is generated on a daily basis using the IANA registry files, the Regional Internet Registry stats files and the Regional Internet Registry whois data. The data sources and some commentary on this approach is summarized in a presentation pack.

  • The Routing Assets Database (RADB) which is operated by Merit Networks, is a public registry of routing information for networks in the Internet. Hundreds of organizations that operate networks — including ISPs, universities, and business enterprises — publicly publish, or register, their routing policy and route announcements in the RADb to facilitate the operation of the Internet. Organizations throughout the world use the information in the RADb to troubleshoot routing problems, automatically configure backbone routers, generate access lists, and perform network planning.

  • Team Cymru Research NFP is a specialized Internet security research firm and a registered United States 501(c)3 non-profit dedicated to making the Internet more secure. Team Cymru provides a bogon prefix list in a variety of formats updated daily based on the IANA list: text lists for scripts, templates for routers, DNS servers and BGP peering sessions, DNS zones to query to determine if an IP address is a bogon or not. They also produces a fullbogons feed, which list the traditional bogon prefixes plus the IP space allocated to the RIRs that has not yet be assigned by them to ISPs or other end-users, providing a more granular and enumerative view of IP space that should not appear on the Internet.

  • The 6bogon group in Japan, provide bogon reference information for IPv6 networks. This document describes filtering techniques for the border routers at xSPs developed by the 6Bogon group in Japan.

What is legacy address space?

Legacy address space refers to the address blocks allocated by the central Internet Registry (IR) prior to the Regional Internet Registries (RIRs). This address space is now administered by individual RIRs as noted, including maintenance of Whois Directories and reverse DNS records. Assignments from these blocks are distributed globally on a regional basis.