Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: nsp: juniper

JUNOS and 128.0.0.0 martian (JFYI)

 

 

nsp juniper RSS feed   Index | Next | Previous | View Threaded


timamaryin at mail

Oct 10, 2011, 5:39 AM

Post #1 of 21 (10410 views)
Permalink
JUNOS and 128.0.0.0 martian (JFYI)

Hello!


Recently RIPE NCC started to allocate addresses from 128/8 to end users,
example:

https://apps.db.ripe.net/whois/lookup/ripe/inetnum/128.0.0.0-128.0.7.255.html


Junos software (upto and including 11.1) blocks those address by default:

> show route martians

inet.0:
0.0.0.0/0 exact -- allowed
0.0.0.0/8 orlonger -- disallowed
127.0.0.0/8 orlonger -- disallowed
128.0.0.0/16 orlonger -- disallowed


In fact there will be no connectivity for new addresses and Juniper
routers all around the world unless people change de.fault behavior or
juniper change default settings for martians

I think it's time to do, I've just open JTAC case about it.



p.s. set routing-options martians 128.0.0.0/16 orlonger allow
fixes it.
_______________________________________________
juniper-nsp mailing list juniper-nsp [at] puck
https://puck.nether.net/mailman/listinfo/juniper-nsp


juniper-nsp at grahambrown

Oct 10, 2011, 6:17 AM

Post #2 of 21 (10180 views)
Permalink
Re: JUNOS and 128.0.0.0 martian (JFYI) [In reply to]

Hello Tima,

Thank you for making me aware of this and raising this with JTAC, I am sure
that this would be deemed as critical and an easy fix. If you get allocated
a PR, could you please share this with the group so we can monitor the
progress and get a heads up on what releases contain the fix. I am sure that
this will get flagged as a fix rather than a feature request, which would
generally follow a longer path for implementation.

Thank you,
Graham

On Mon, Oct 10, 2011 at 1:39 PM, Tima Maryin <timamaryin [at] mail> wrote:

> Hello!
>
>
> Recently RIPE NCC started to allocate addresses from 128/8 to end users,
> example:
>
> https://apps.db.ripe.net/**whois/lookup/ripe/inetnum/128.**
> 0.0.0-128.0.7.255.html<https://apps.db.ripe.net/whois/lookup/ripe/inetnum/128.0.0.0-128.0.7.255.html>
>
>
> Junos software (upto and including 11.1) blocks those address by default:
>
> > show route martians
>
> inet.0:
> 0.0.0.0/0 exact -- allowed
> 0.0.0.0/8 orlonger -- disallowed
> 127.0.0.0/8 orlonger -- disallowed
> 128.0.0.0/16 orlonger -- disallowed
>
>
> In fact there will be no connectivity for new addresses and Juniper routers
> all around the world unless people change de.fault behavior or juniper
> change default settings for martians
>
> I think it's time to do, I've just open JTAC case about it.
>
>
>
> p.s. set routing-options martians 128.0.0.0/16 orlonger allow
> fixes it.
> ______________________________**_________________
> juniper-nsp mailing list juniper-nsp [at] puck
> https://puck.nether.net/**mailman/listinfo/juniper-nsp<https://puck.nether.net/mailman/listinfo/juniper-nsp>
>
_______________________________________________
juniper-nsp mailing list juniper-nsp [at] puck
https://puck.nether.net/mailman/listinfo/juniper-nsp


juniper-nsp at ml

Oct 10, 2011, 6:23 AM

Post #3 of 21 (10175 views)
Permalink
Re: JUNOS and 128.0.0.0 martian (JFYI) [In reply to]

* Tima Maryin <timamaryin [at] mail> [2011-10-10 14:41]:
> Hello!
>
>
> Recently RIPE NCC started to allocate addresses from 128/8 to end
> users, example:
>
> https://apps.db.ripe.net/whois/lookup/ripe/inetnum/128.0.0.0-128.0.7.255.html
>
>
> Junos software (upto and including 11.1) blocks those address by default:

If you have a case open with JTAC tell them to remove 191.255.0.0/16
as well. That block is no longer reserved.

Regards,

Sebastian

--
New GPG Key: 0x93A0B9CE (F4F6 B1A3 866B 26E9 450A 9D82 58A2 D94A 93A0 B9CE)
Old GPG Key-ID: 0x76B79F20 (0x1B6034F476B79F20)
'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE.
-- Terry Pratchett, The Fifth Elephant
_______________________________________________
juniper-nsp mailing list juniper-nsp [at] puck
https://puck.nether.net/mailman/listinfo/juniper-nsp


jgoodwin at studio442

Oct 10, 2011, 6:53 AM

Post #4 of 21 (10178 views)
Permalink
Re: JUNOS and 128.0.0.0 martian (JFYI) [In reply to]

On 10/10/11 23:39, Tima Maryin wrote:
> Hello!
>
>
> Recently RIPE NCC started to allocate addresses from 128/8 to end users,
> example:
>
> https://apps.db.ripe.net/whois/lookup/ripe/inetnum/128.0.0.0-128.0.7.255.html

> inet.0:
> 128.0.0.0/16 orlonger -- disallowed

It's only the first /16, so not a huge problem, although I'm amazed that
RIPE didn't do reachability testing (APNIC are almost certainly the best
at this, see their reports for 1/8 for example). There's more then
enough Juniper's out there to cause massive issues if they'd tested.
Attachments: signature.asc (0.26 KB)


dr at cluenet

Oct 10, 2011, 7:26 AM

Post #5 of 21 (10171 views)
Permalink
Re: JUNOS and 128.0.0.0 martian (JFYI) [In reply to]

On Mon, Oct 10, 2011 at 03:23:48PM +0200, Sebastian Wiesinger wrote:
> > Recently RIPE NCC started to allocate addresses from 128/8 to end
> > users, example:
> >
> > https://apps.db.ripe.net/whois/lookup/ripe/inetnum/128.0.0.0-128.0.7.255.html
> >
> > Junos software (upto and including 11.1) blocks those address by default:
>
> If you have a case open with JTAC tell them to remove 191.255.0.0/16
> as well. That block is no longer reserved.

Same goes for 223.255.255.0/24

Reference: RFC5735

Best regards,
Daniel

--
CLUE-RIPE -- Jabber: dr [at] cluenet -- dr [at] IRCne -- PGP: 0xA85C8AA0
_______________________________________________
juniper-nsp mailing list juniper-nsp [at] puck
https://puck.nether.net/mailman/listinfo/juniper-nsp


t.nalkhande.bmc at mobily

Oct 10, 2011, 11:19 AM

Post #6 of 21 (10182 views)
Permalink
Re: JUNOS and 128.0.0.0 martian (JFYI) [In reply to]

So with 128/16 going live, Juniper may also additionally need to change their internal addressing!

re0> show interfaces em1 terse
Interface Admin Link Proto Local Remote
em1 up up
em1.0 up up inet 10.0.0.1/8
10.0.0.4/8
128.0.0.1/2 <<--
128.0.0.4/2 <<--

MX96-01_re0> show interfaces em0 terse
Interface Admin Link Proto Local Remote
em0 up up
em0.0 up up inet 10.0.0.1/8
10.0.0.4/8
128.0.0.1/2 <<--
128.0.0.4/2 <<--

re0> show route 128.0.0.0/2 table __juniper_private1__.inet.0
__juniper_private1__.inet.0: 6 destinations, 10 routes (4 active, 0 holddown, 2 hidden)
+ = Active Route, - = Last Active, * = Both

128.0.0.0/2 *[Direct/0] 31w6d 05:05:46
> via em0.0
[Direct/0] 31w6d 05:05:46
> via em0.0
[Direct/0] 31w6d 05:05:46
> via em1.0
[Direct/0] 31w6d 05:05:46
> via em1.0

Thanks & Regards
Tarique Abbas Nalkhande

This message (including any attachments) is intended only for
the use of the individual or entity to which it is addressed and
may contain information that is non-public, proprietary,
privileged, confidential, and exempt from disclosure under
applicable law or may constitute as attorney work product.
If you are not the intended recipient, you are hereby notified
that any use, dissemination, distribution, or copying of this
communication is strictly prohibited. If you have received this
communication in error, notify us immediately by telephone and
(i) destroy this message if a facsimile or (ii) delete this message
immediately if this is an electronic communication.

Thank you.

_______________________________________________
juniper-nsp mailing list juniper-nsp [at] puck
https://puck.nether.net/mailman/listinfo/juniper-nsp


jf at probe-networks

Oct 10, 2011, 11:43 AM

Post #7 of 21 (10170 views)
Permalink
Re: JUNOS and 128.0.0.0 martian (JFYI) [In reply to]

To whomever opened a PR about this:

It has been posted on the amsix mailing list that juniper also needs to
change internal addressing because of the issue with 128.0.0.0/16 as
addresses of this space are used internally within JunOS (see below).
Please add this to the PR so it gets fixed.


re0> show interfaces em1 terse
Interface Admin Link Proto Local Remote
em1 up up
em1.0 up up inet 10.0.0.1/8
10.0.0.4/8
128.0.0.1/2 <<--
128.0.0.4/2 <<--

MX96-01_re0> show interfaces em0 terse
Interface Admin Link Proto Local Remote
em0 up up
em0.0 up up inet 10.0.0.1/8
10.0.0.4/8
128.0.0.1/2 <<--
128.0.0.4/2 <<--

re0> show route 128.0.0.0/2 table __juniper_private1__.inet.0
__juniper_private1__.inet.0: 6 destinations, 10 routes (4 active, 0
holddown, 2 hidden)
+ = Active Route, - = Last Active, * = Both

128.0.0.0/2 *[Direct/0] 31w6d 05:05:46
> via em0.0
[Direct/0] 31w6d 05:05:46
> via em0.0
[Direct/0] 31w6d 05:05:46
> via em1.0
[Direct/0] 31w6d 05:05:46
> via em1.0


Am Montag, den 10.10.2011, 16:26 +0200 schrieb Daniel Roesen:
> On Mon, Oct 10, 2011 at 03:23:48PM +0200, Sebastian Wiesinger wrote:
> > > Recently RIPE NCC started to allocate addresses from 128/8 to end
> > > users, example:
> > >
> > > https://apps.db.ripe.net/whois/lookup/ripe/inetnum/128.0.0.0-128.0.7.255.html
> > >
> > > Junos software (upto and including 11.1) blocks those address by default:
> >
> > If you have a case open with JTAC tell them to remove 191.255.0.0/16
> > as well. That block is no longer reserved.
>
> Same goes for 223.255.255.0/24
>
> Reference: RFC5735
>
> Best regards,
> Daniel
>
Attachments: signature.asc (0.19 KB)


tarko at lanparty

Oct 10, 2011, 12:11 PM

Post #8 of 21 (10207 views)
Permalink
Re: JUNOS and 128.0.0.0 martian (JFYI) [In reply to]

hey,

> It has been posted on the amsix mailing list that juniper also needs to
> change internal addressing because of the issue with 128.0.0.0/16 as
> addresses of this space are used internally within JunOS (see below).

It's worse. Example from SRX cluster:

show interfaces terse | match "^(fab|fxp1).*inet"
fab0.0 up up inet 30.17.0.200/24
fab1.0 up up inet 30.18.0.200/24
fxp1.0 up up inet 129.16.0.1/2

Luckily none of the routes in __juniper__private__ tables interferes with transit traffic. Same cannot be said for martians.

--
tarko
_______________________________________________
juniper-nsp mailing list juniper-nsp [at] puck
https://puck.nether.net/mailman/listinfo/juniper-nsp


paul at paulstewart

Oct 10, 2011, 12:19 PM

Post #9 of 21 (10174 views)
Permalink
Re: JUNOS and 128.0.0.0 martian (JFYI) [In reply to]

Pardon me for asking this...

But those routes are in "private tables"... does this really mean that
Juniper is going to block the traffic when it doesn't seen it in inet.0 ?
If it does actually block it (meaning someone has proven this out) then
that's kinda scary...

Apologies if I missed something earlier in a thread and my questions were
already answered...;)

Paul


-----Original Message-----
From: juniper-nsp-bounces [at] puck
[mailto:juniper-nsp-bounces [at] puck] On Behalf Of Tarique A.
Nalkhande - BMC
Sent: Monday, October 10, 2011 2:19 PM
To: Daniel Roesen; juniper-nsp [at] puck
Subject: Re: [j-nsp] JUNOS and 128.0.0.0 martian (JFYI)


So with 128/16 going live, Juniper may also additionally need to change
their internal addressing!

re0> show interfaces em1 terse
Interface Admin Link Proto Local Remote
em1 up up
em1.0 up up inet 10.0.0.1/8
10.0.0.4/8
128.0.0.1/2 <<--
128.0.0.4/2 <<--

MX96-01_re0> show interfaces em0 terse
Interface Admin Link Proto Local Remote
em0 up up
em0.0 up up inet 10.0.0.1/8
10.0.0.4/8
128.0.0.1/2 <<--
128.0.0.4/2 <<--

re0> show route 128.0.0.0/2 table __juniper_private1__.inet.0
__juniper_private1__.inet.0: 6 destinations, 10 routes (4 active, 0
holddown, 2 hidden)
+ = Active Route, - = Last Active, * = Both

128.0.0.0/2 *[Direct/0] 31w6d 05:05:46
> via em0.0
[Direct/0] 31w6d 05:05:46
> via em0.0
[Direct/0] 31w6d 05:05:46
> via em1.0
[Direct/0] 31w6d 05:05:46
> via em1.0

Thanks & Regards
Tarique Abbas Nalkhande

This message (including any attachments) is intended only for the use of the
individual or entity to which it is addressed and may contain information
that is non-public, proprietary, privileged, confidential, and exempt from
disclosure under applicable law or may constitute as attorney work product.
If you are not the intended recipient, you are hereby notified that any use,
dissemination, distribution, or copying of this communication is strictly
prohibited. If you have received this communication in error, notify us
immediately by telephone and
(i) destroy this message if a facsimile or (ii) delete this message
immediately if this is an electronic communication.

Thank you.

_______________________________________________
juniper-nsp mailing list juniper-nsp [at] puck
https://puck.nether.net/mailman/listinfo/juniper-nsp

_______________________________________________
juniper-nsp mailing list juniper-nsp [at] puck
https://puck.nether.net/mailman/listinfo/juniper-nsp


t.nalkhande.bmc at mobily

Oct 10, 2011, 12:44 PM

Post #10 of 21 (10162 views)
Permalink
Re: JUNOS and 128.0.0.0 martian (JFYI) [In reply to]

Keeping away technical constrains (needs to be evaluated, if any); in a simple way, why would one want to use Public IP range for its Internal addressing ??

Thanks & Regards
Tarique Abbas Nalkhande



-----Original Message-----
From: Paul Stewart [mailto:paul [at] paulstewart]
Sent: 10 October, 2011 10:19 PM
To: Tarique A. Nalkhande - BMC; 'Daniel Roesen'; juniper-nsp [at] puck
Subject: RE: [j-nsp] JUNOS and 128.0.0.0 martian (JFYI)

Pardon me for asking this...

But those routes are in "private tables"... does this really mean that
Juniper is going to block the traffic when it doesn't seen it in inet.0 ?
If it does actually block it (meaning someone has proven this out) then
that's kinda scary...

Apologies if I missed something earlier in a thread and my questions were
already answered...;)

Paul


-----Original Message-----
From: juniper-nsp-bounces [at] puck
[mailto:juniper-nsp-bounces [at] puck] On Behalf Of Tarique A.
Nalkhande - BMC
Sent: Monday, October 10, 2011 2:19 PM
To: Daniel Roesen; juniper-nsp [at] puck
Subject: Re: [j-nsp] JUNOS and 128.0.0.0 martian (JFYI)


So with 128/16 going live, Juniper may also additionally need to change
their internal addressing!

re0> show interfaces em1 terse
Interface Admin Link Proto Local Remote
em1 up up
em1.0 up up inet 10.0.0.1/8
10.0.0.4/8
128.0.0.1/2 <<--
128.0.0.4/2 <<--

MX96-01_re0> show interfaces em0 terse
Interface Admin Link Proto Local Remote
em0 up up
em0.0 up up inet 10.0.0.1/8
10.0.0.4/8
128.0.0.1/2 <<--
128.0.0.4/2 <<--

re0> show route 128.0.0.0/2 table __juniper_private1__.inet.0
__juniper_private1__.inet.0: 6 destinations, 10 routes (4 active, 0
holddown, 2 hidden)
+ = Active Route, - = Last Active, * = Both

128.0.0.0/2 *[Direct/0] 31w6d 05:05:46
> via em0.0
[Direct/0] 31w6d 05:05:46
> via em0.0
[Direct/0] 31w6d 05:05:46
> via em1.0
[Direct/0] 31w6d 05:05:46
> via em1.0

Thanks & Regards
Tarique Abbas Nalkhande

This message (including any attachments) is intended only for the use of the
individual or entity to which it is addressed and may contain information
that is non-public, proprietary, privileged, confidential, and exempt from
disclosure under applicable law or may constitute as attorney work product.
If you are not the intended recipient, you are hereby notified that any use,
dissemination, distribution, or copying of this communication is strictly
prohibited. If you have received this communication in error, notify us
immediately by telephone and
(i) destroy this message if a facsimile or (ii) delete this message
immediately if this is an electronic communication.

Thank you.

_______________________________________________
juniper-nsp mailing list juniper-nsp [at] puck
https://puck.nether.net/mailman/listinfo/juniper-nsp


This message (including any attachments) is intended only for
the use of the individual or entity to which it is addressed and
may contain information that is non-public, proprietary,
privileged, confidential, and exempt from disclosure under
applicable law or may constitute as attorney work product.
If you are not the intended recipient, you are hereby notified
that any use, dissemination, distribution, or copying of this
communication is strictly prohibited. If you have received this
communication in error, notify us immediately by telephone and
(i) destroy this message if a facsimile or (ii) delete this message
immediately if this is an electronic communication.

Thank you.

_______________________________________________
juniper-nsp mailing list juniper-nsp [at] puck
https://puck.nether.net/mailman/listinfo/juniper-nsp


paul at paulstewart

Oct 10, 2011, 12:49 PM

Post #11 of 21 (10219 views)
Permalink
Re: JUNOS and 128.0.0.0 martian (JFYI) [In reply to]

I'm not disagreeing with that at all ... just seemed implied somewhere that
this could have operational impact and I was questioning why/how?

As the private intercommunication within a Juniper box is in a private
table, I don't believe it should be viewed as "public vs private" as that IP
addressing can never been reached publicly anyways .... but as it does
belong to a "routing table" I can see a strong need to follow standards
based IP assignments instead of arbitrarily picking an IP range ....

Best regards,

Paul




-----Original Message-----
From: Tarique A. Nalkhande - BMC [mailto:t.nalkhande.bmc [at] mobily]
Sent: Monday, October 10, 2011 3:44 PM
To: Paul Stewart; 'Daniel Roesen'; juniper-nsp [at] puck
Subject: RE: [j-nsp] JUNOS and 128.0.0.0 martian (JFYI)

Keeping away technical constrains (needs to be evaluated, if any); in a
simple way, why would one want to use Public IP range for its Internal
addressing ??

Thanks & Regards
Tarique Abbas Nalkhande



-----Original Message-----
From: Paul Stewart [mailto:paul [at] paulstewart]
Sent: 10 October, 2011 10:19 PM
To: Tarique A. Nalkhande - BMC; 'Daniel Roesen'; juniper-nsp [at] puck
Subject: RE: [j-nsp] JUNOS and 128.0.0.0 martian (JFYI)

Pardon me for asking this...

But those routes are in "private tables"... does this really mean that
Juniper is going to block the traffic when it doesn't seen it in inet.0 ?
If it does actually block it (meaning someone has proven this out) then
that's kinda scary...

Apologies if I missed something earlier in a thread and my questions were
already answered...;)

Paul


-----Original Message-----
From: juniper-nsp-bounces [at] puck
[mailto:juniper-nsp-bounces [at] puck] On Behalf Of Tarique A.
Nalkhande - BMC
Sent: Monday, October 10, 2011 2:19 PM
To: Daniel Roesen; juniper-nsp [at] puck
Subject: Re: [j-nsp] JUNOS and 128.0.0.0 martian (JFYI)


So with 128/16 going live, Juniper may also additionally need to change
their internal addressing!

re0> show interfaces em1 terse
Interface Admin Link Proto Local Remote
em1 up up
em1.0 up up inet 10.0.0.1/8
10.0.0.4/8
128.0.0.1/2 <<--
128.0.0.4/2 <<--

MX96-01_re0> show interfaces em0 terse
Interface Admin Link Proto Local Remote
em0 up up
em0.0 up up inet 10.0.0.1/8
10.0.0.4/8
128.0.0.1/2 <<--
128.0.0.4/2 <<--

re0> show route 128.0.0.0/2 table __juniper_private1__.inet.0
__juniper_private1__.inet.0: 6 destinations, 10 routes (4 active, 0
holddown, 2 hidden)
+ = Active Route, - = Last Active, * = Both

128.0.0.0/2 *[Direct/0] 31w6d 05:05:46
> via em0.0
[Direct/0] 31w6d 05:05:46
> via em0.0
[Direct/0] 31w6d 05:05:46
> via em1.0
[Direct/0] 31w6d 05:05:46
> via em1.0

Thanks & Regards
Tarique Abbas Nalkhande

This message (including any attachments) is intended only for the use of the
individual or entity to which it is addressed and may contain information
that is non-public, proprietary, privileged, confidential, and exempt from
disclosure under applicable law or may constitute as attorney work product.
If you are not the intended recipient, you are hereby notified that any use,
dissemination, distribution, or copying of this communication is strictly
prohibited. If you have received this communication in error, notify us
immediately by telephone and
(i) destroy this message if a facsimile or (ii) delete this message
immediately if this is an electronic communication.

Thank you.

_______________________________________________
juniper-nsp mailing list juniper-nsp [at] puck
https://puck.nether.net/mailman/listinfo/juniper-nsp


This message (including any attachments) is intended only for the use of the
individual or entity to which it is addressed and may contain information
that is non-public, proprietary, privileged, confidential, and exempt from
disclosure under applicable law or may constitute as attorney work product.
If you are not the intended recipient, you are hereby notified that any use,
dissemination, distribution, or copying of this communication is strictly
prohibited. If you have received this communication in error, notify us
immediately by telephone and
(i) destroy this message if a facsimile or (ii) delete this message
immediately if this is an electronic communication.

Thank you.

_______________________________________________
juniper-nsp mailing list juniper-nsp [at] puck
https://puck.nether.net/mailman/listinfo/juniper-nsp


timamaryin at mail

Oct 10, 2011, 12:59 PM

Post #12 of 21 (10179 views)
Permalink
Re: JUNOS and 128.0.0.0 martian (JFYI) [In reply to]

On 10.10.2011 22:43, Jonas Frey (Probe Networks) wrote:
> To whomever opened a PR about this:
>
> It has been posted on the amsix mailing list that juniper also needs to
> change internal addressing because of the issue with 128.0.0.0/16 as
> addresses of this space are used internally within JunOS (see below).
> Please add this to the PR so it gets fixed.



I don't see any problem with it since it's different routing table.


Graham, as long as i get PR I'll post it here.

Sebastian, i just told them to consider all those prefixes from RFC5735
which obsoletes RFC3330.
_______________________________________________
juniper-nsp mailing list juniper-nsp [at] puck
https://puck.nether.net/mailman/listinfo/juniper-nsp


v.blazhkun at gmail

Oct 10, 2011, 1:59 PM

Post #13 of 21 (10169 views)
Permalink
Re: JUNOS and 128.0.0.0 martian (JFYI) [In reply to]

+1. I guess nobody cares about intersecting address spaces in typical
BGP L3VPNs, why to discuss router's internals then?

Just my .02$.

With best regards,
Vladimir Blazhkun.

On Mon, Oct 10, 2011 at 23:59, Tima Maryin <timamaryin [at] mail> wrote:

> I don't see any problem with it since it's different routing table.
_______________________________________________
juniper-nsp mailing list juniper-nsp [at] puck
https://puck.nether.net/mailman/listinfo/juniper-nsp


mtinka at globaltransit

Oct 10, 2011, 7:04 PM

Post #14 of 21 (10143 views)
Permalink
Re: JUNOS and 128.0.0.0 martian (JFYI) [In reply to]

On Tuesday, October 11, 2011 03:49:33 AM Paul Stewart wrote:

> As the private intercommunication within a Juniper box is
> in a private table, I don't believe it should be viewed
> as "public vs private" as that IP addressing can never
> been reached publicly anyways ....

That's where I don't have absolute confidence anymore.

With the kinds of bugs we've seen (for instance, firewalls
not actually blocking ports they're configured to block), it
wouldn't surprise me if some piece of software suddenly
causes routes to leak between routing tables without any
deliberate operator input.

Mark.
Attachments: signature.asc (0.82 KB)


mtinka at globaltransit

Oct 10, 2011, 7:04 PM

Post #15 of 21 (10136 views)
Permalink
Re: JUNOS and 128.0.0.0 martian (JFYI) [In reply to]

On Tuesday, October 11, 2011 04:59:54 AM Vladimir Blazhkun
wrote:

> +1. I guess nobody cares about intersecting address
> spaces in typical BGP L3VPNs, why to discuss router's
> internals then?

See my previous post.

That's why even with l3vpn's in our environment, we still
stick to private address space when addressing PE-CE links.

Routers have broken in strange ways, and things you've
expected should never happen still do! That's why even
though numbering PE-CE links with public addresses would be
ideal, things could escalate if those routes were to leak
into the global table.

Mark.
Attachments: signature.asc (0.82 KB)


timamaryin at mail

Oct 12, 2011, 12:59 AM

Post #16 of 21 (10085 views)
Permalink
Re: JUNOS and 128.0.0.0 martian (JFYI) [In reply to]

On 10.10.2011 16:39, Tima Maryin wrote:

> Recently RIPE NCC started to allocate addresses from 128/8 to end users,
> example:
>
> https://apps.db.ripe.net/whois/lookup/ripe/inetnum/128.0.0.0-128.0.7.255.html


skip


> p.s. set routing-options martians 128.0.0.0/16 orlonger allow
> fixes it.



Couple updates about it.

martians are per table in Junos, so if you run internet in vrf (yes,
there are such people!) you need to use that command per routing instance.

RIPE NCC was awared about this issue and now reallocate blocks to those
who got addrs from 128.0.0.0/16
_______________________________________________
juniper-nsp mailing list juniper-nsp [at] puck
https://puck.nether.net/mailman/listinfo/juniper-nsp


timamaryin at mail

Oct 13, 2011, 2:17 AM

Post #17 of 21 (9986 views)
Permalink
Re: JUNOS and 128.0.0.0 martian (JFYI) [In reply to]

On 10.10.2011 17:17, Graham Brown wrote:
> Hello Tima,
>
> Thank you for making me aware of this and raising this with JTAC, I am
> sure that this would be deemed as critical and an easy fix. If you get
> allocated a PR, could you please share this with the group so we can
> monitor the progress and get a heads up on what releases contain the
> fix. I am sure that this will get flagged as a fix rather than a feature
> request, which would generally follow a longer path for implementation.



The PR is 698121 (not public available yet).

I've been told that they will include fix for it into all active main
and service releases including 9.3.

It will include 191.255.0.0/16 and 223.255.255.0/24 also.


And expect bulletin about it soon.
_______________________________________________
juniper-nsp mailing list juniper-nsp [at] puck
https://puck.nether.net/mailman/listinfo/juniper-nsp


juniper-nsp at grahambrown

Oct 13, 2011, 6:40 AM

Post #18 of 21 (9966 views)
Permalink
Re: JUNOS and 128.0.0.0 martian (JFYI) [In reply to]

Thanks for the update Tima, I'll distribute this internally - thank you.

On Thu, Oct 13, 2011 at 10:17 AM, Tima Maryin <timamaryin [at] mail> wrote:

> On 10.10.2011 17:17, Graham Brown wrote:
>
>> Hello Tima,
>>
>> Thank you for making me aware of this and raising this with JTAC, I am
>> sure that this would be deemed as critical and an easy fix. If you get
>> allocated a PR, could you please share this with the group so we can
>> monitor the progress and get a heads up on what releases contain the
>> fix. I am sure that this will get flagged as a fix rather than a feature
>> request, which would generally follow a longer path for implementation.
>>
>
>
>
> The PR is 698121 (not public available yet).
>
> I've been told that they will include fix for it into all active main and
> service releases including 9.3.
>
> It will include 191.255.0.0/16 and 223.255.255.0/24 also.
>
>
> And expect bulletin about it soon.
>
> ______________________________**_________________
> juniper-nsp mailing list juniper-nsp [at] puck
> https://puck.nether.net/**mailman/listinfo/juniper-nsp<https://puck.nether.net/mailman/listinfo/juniper-nsp>
>
_______________________________________________
juniper-nsp mailing list juniper-nsp [at] puck
https://puck.nether.net/mailman/listinfo/juniper-nsp


ssiva1086 at gmail

Oct 13, 2011, 9:18 PM

Post #19 of 21 (9965 views)
Permalink
Re: JUNOS and 128.0.0.0 martian (JFYI) [In reply to]

*The PR was opened to alter the default martian table and also the PR is
public now. Even though we have workaround, customer wants the future junos
releases have the updated martian table.

Workaround:

set routing-options martians 128.0.0.0/16 orlonger allow
set routing-options martians 191.255.0.0/16 orlonger allow
set routing-options martians 223.255.255.0/24 exact allow*

--
Thanks,
Siva
_______________________________________________
juniper-nsp mailing list juniper-nsp [at] puck
https://puck.nether.net/mailman/listinfo/juniper-nsp


ssiva1086 at gmail

Oct 17, 2011, 9:48 PM

Post #20 of 21 (10023 views)
Permalink
Re: JUNOS and 128.0.0.0 martian (JFYI) [In reply to]

We have a PSN( PSN-2011-10-393) released for this.

Thanks,
Siva

On Sat, Oct 15, 2011 at 12:42 AM, Nicholas Oas <nicholas.oas [at] gmail>wrote:

> Tima, Siva-
>
> Thank you for bringing this to the attention of the community, and for all
> the updates!
>
> -Nicholas
>
> On Fri, Oct 14, 2011 at 12:18 AM, MSusiva <ssiva1086 [at] gmail> wrote:
>
>> *The PR was opened to alter the default martian table and also the PR is
>>
>> public now. Even though we have workaround, customer wants the future
>> junos
>> releases have the updated martian table.
>>
>> Workaround:
>>
>> set routing-options martians 128.0.0.0/16 orlonger allow
>> set routing-options martians 191.255.0.0/16 orlonger allow
>> set routing-options martians 223.255.255.0/24 exact allow*
>>
>> --
>> Thanks,
>> Siva
>> _______________________________________________
>> juniper-nsp mailing list juniper-nsp [at] puck
>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>>
>
>
_______________________________________________
juniper-nsp mailing list juniper-nsp [at] puck
https://puck.nether.net/mailman/listinfo/juniper-nsp


snar at snar

Nov 29, 2011, 3:12 AM

Post #21 of 21 (9601 views)
Permalink
Re: JUNOS and 128.0.0.0 martian (JFYI) [In reply to]

On Wed, Oct 12, 2011 at 11:59:14AM +0400, Tima Maryin wrote:
>
> RIPE NCC was awared about this issue and now reallocate blocks to those
> who got addrs from 128.0.0.0/16

One more update on this topic: RIPE started debogonisation for
128.0.0.0/16, so it looks like this network will be allocated
again in the future:

route: 128.0.0.0/21
descr: RIPE-NCC-RIS debogon prefix
origin: AS12654
pingable: 128.0.0.1

I hope all networks will implement advice from PSN-2011-10-393
before this happens.

--
In theory, there is no difference between theory and practice.
But, in practice, there is.

_______________________________________________
juniper-nsp mailing list juniper-nsp [at] puck
https://puck.nether.net/mailman/listinfo/juniper-nsp

nsp juniper RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.