[dns-operations] Looking for a public blackhole/sinkhole IP address

Warren Kumari warren at kumari.net
Wed Nov 26 19:06:14 UTC 2014


On Wed, Nov 26, 2014 at 12:46 PM, Jared Mauch <jared at puck.nether.net> wrote:
>
>> On Nov 26, 2014, at 10:13 AM, Paul Wouters <paul at nohats.ca> wrote:
>>
>> http://tools.ietf.org/html/rfc6598 defines 100.64.0.0/10
>>
>>   Packets with Shared Address Space source or destination addresses
>>   MUST NOT be forwarded across Service Provider boundaries.  Service
>>   Providers MUST filter such packets on ingress links.  One exception
>>   to this paragraph's proscription is in the case of business
>>   relationships, such as hosted CGN services.
>>
>>   When running a single DNS infrastructure, Service Providers MUST NOT
>>   include Shared Address Space in zone files.  When running a split DNS
>>   infrastructure, Service Providers MUST NOT include Shared Address
>>   Space in external-facing zone files.
>>
>> So you should be fine to use it :)
>
>
> That’s certainly not the intent/purpose of the block of space any more than
> hard-coding 10.0.0.1 or some other answer like 1.1.1.1 or 1.2.3.4.

Noooooooo..... not 1.2.3.4:
route-views>sho ip bgp 1.2.3.4
BGP routing table entry for 1.2.3.0/24, version 60
Paths: (35 available, best #27, table default)
  Not advertised to any peer
  Refresh Epoch 1
  6453 15169
    66.110.0.86 from 66.110.0.86 (66.110.0.86)
      Origin IGP, localpref 100, valid, external
      rx pathid: 0, tx pathid: 0


What's wrong with 127.0.0.1? It makes it clear what the intent is, and
you don't get a much more distributed sinkhole than that...

If there really is a use case, let's try and get a block allocated,
and encourage folk to anycast -> null0 for this.
I'm kinda leery of using the AS112 addresses themselves, because the
target of this is likely to be DoS attacks and:
A: AS112 folk might not really be expecting to be hit with a few
hundred gig of garbage (yet) and
B: some ISP will nail up the routes to null, and mess up the AS112 customers.
W

>
> - Jared
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs



-- 
I don't think the execution is relevant when it was obviously a bad
idea in the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair
of pants.
   ---maf




More information about the dns-operations mailing list