Monday, March 16, 2009

Martian's and Bogon's (and no this isn't Sci-Fi)

After discovering Bogon's and Martian's in networks that I manage I decided that it was time to bring more light to these devious creatures.

Lets start with the more common Martians which are networks that should NEVER be routed on any network with few exceptions. As a matter of fact, Juniper has them defined in JunOS and you must modify the list if you need to route for any of them:
carlfugate> show route martians

inet.0:
0.0.0.0/0 exact -- allowed
0.0.0.0/8 orlonger -- disallowed
127.0.0.0/8 orlonger -- disallowed
128.0.0.0/16 orlonger -- disallowed
191.255.0.0/16 orlonger -- disallowed
192.0.0.0/24 orlonger -- disallowed
223.255.255.0/24 orlonger -- disallowed
240.0.0.0/4 orlonger -- disallowed

On one of my internet facing routers I have a protection ACL that blocks some of these which surprisingly some ISP's allow people to source packets from these subnets:
Extended IP access list 110
10 deny ip host 0.0.0.0 any (93 matches)
20 deny ip 127.0.0.0 0.255.255.255 any (53 matches)
30 deny ip 192.0.2.0 0.0.0.255 any

Some people forget that 127/8 is totally reserved for Loopback addressing and not just 127.0.0.1/32.
From RFC3330:
127.0.0.0/8 - This block is assigned for use as the Internet host
loopback address. A datagram sent by a higher level protocol to an
address anywhere within this block should loop back inside the host.
This is ordinarily implemented using only 127.0.0.1/32 for loopback,
but no addresses within this block should ever appear on any network
anywhere [RFC1700, page 5].

If you ping any address in the 127/8 range on a Windows or *nix box you will get a reply:
Reply from 127.0.0.1: bytes=32 time<1ms ttl="">
What is a Bogon?

From Wikipedia:
"Bogon" is an informal name for an IP packet on the public Internet that claims to be from an area of the IP address space reserved, but not yet allocated or delegated by the Internet Assigned Numbers Authority (IANA) or a delegated Regional Internet Registry (RIR). The areas of unallocated address space are called "bogon space".
The term Bogon comes from Hacker jargon referring to the quantum of "bogosity" which is the property of being bogus. This makes sense when you realize that packets sourced from Bogon addresses which have not been assigned obviously cannot be routed on the Internet.

There are networks out there that instead of using RFC 1918 address space used Bogon's such as 100/8 for a variety of reason (such as seeing them being used in vendor presentations) to address their network. This is becoming more of an issue that IANA is starting to run out of IP addresses that are available for assignment (I recently added a counter to my blog that shows this) and have been assigning more and more blocks that were once considered Bogon's.

Why is this such a big deal? Lets say that you addressed your network in the 100/8 IP space but tomorrow that block is assigned for use and Google gets some of those IP's for some of its new applications. When a user in your network goes to access that application, your network will look at its routing table and may find that it has a more specific route than the 0/0 or default route and send the packets towards some internal host in your network instead of out to the Internet.

There are some dirty ways of routing around this but eventually it can lead to some serious problems. If you manage a network that is addressed out of any of this space I would make it a point to come up with a migration or mitigation plan for this very soon because over the next 2 years we will find that almost all of the previously Bogon space will be assigned and available for use.

You can find a list of all of the current Bogon's as well as some other really helpful tools (such as a BGP peering that you can use to block Bogon's) here:

http://www.cymru.com/Documents/bogon-list.html

1 comment:

Daniel Gabarron said...

Thank you. Websites like these really help when trying to complete homework. You are appreciated.