Hi guys,
there are some "suspicious" entries in encap.txt:
route addprivate 44.131.192/29 encap 44.131.192.1 route addprivate 44.24.115.17/32 encap 44.24.115.17
There are even some other gateways listed with IP-addresses out of 44/8.
73, Jann DG8NGN
They have been removed and the owners informed, I am also putting in an additional check to ensure the tunnel endpoint is outside 44/8 as well as bogon / un-routable networks.
Thanks, Chris
On 1 Mar 2013, at 19:08, Jann Traschewski wrote:
(Please trim inclusions from previous messages) _______________________________________________ Hi guys,
there are some "suspicious" entries in encap.txt:
route addprivate 44.131.192/29 encap 44.131.192.1 route addprivate 44.24.115.17/32 encap 44.24.115.17
There are even some other gateways listed with IP-addresses out of 44/8.
73, Jann DG8NGN
-- Jann Traschewski, Lenbachstr. 6, D-90489 Nuernberg, Germany Tel.: +49-911-696971, Mobile: +49-170-1045937, E-Mail: jann@gmx.de Ham: DG8NGN / DB0VOX, http://www.qsl.net/dg8ngn _________________________________________ 44Net mailing list 44Net@hamradio.ucsd.edu http://hamradio.ucsd.edu/mailman/listinfo/44net http://www.ampr.org/donate.html
On Fri, Mar 01, 2013 at 08:52:09PM +0000, Chris Smith wrote:
I am also putting in an additional check to ensure the tunnel endpoint is outside 44/8 as well as bogon / un-routable networks.
When the BGP-routed subnets start supplying tunnels to their clients both the destination network and the tunnel origin endpoint will be in network 44 space. Validation will be a bit more complex. - Brian
Maybe we need a BGP list and check against it for tunnel endpoints?
------------------------------ John D. Hays K7VE PO Box 1223, Edmonds, WA 98020-1223 http://k7ve.org/blog http://twitter.com/#!/john_hays http://www.facebook.com/john.d.hays
On Fri, Mar 1, 2013 at 12:56 PM, Brian Kantor Brian@ucsd.edu wrote:
(Please trim inclusions from previous messages) _______________________________________________ On Fri, Mar 01, 2013 at 08:52:09PM +0000, Chris Smith wrote:
I am also putting in an additional check to ensure the tunnel endpoint is outside 44/8 as well as bogon / un-routable networks.
When the BGP-routed subnets start supplying tunnels to their clients both the destination network and the tunnel origin endpoint will be in network 44 space. Validation will be a bit more complex. - Brian _________________________________________ 44Net mailing list 44Net@hamradio.ucsd.edu http://hamradio.ucsd.edu/mailman/listinfo/44net http://www.ampr.org/donate.html
For now I have block most of the bogons plus 44/8 thusly:
/^(0.|10.|44.|127.|169.154.|192.168.|224.)/
When I have more time I will create a more elegant table based filter, so we can allow/deny subnets.
Regards, Chris
On 1 Mar 2013, at 20:56, Brian Kantor wrote:
(Please trim inclusions from previous messages) _______________________________________________ On Fri, Mar 01, 2013 at 08:52:09PM +0000, Chris Smith wrote:
I am also putting in an additional check to ensure the tunnel endpoint is outside 44/8 as well as bogon / un-routable networks.
When the BGP-routed subnets start supplying tunnels to their clients both the destination network and the tunnel origin endpoint will be in network 44 space. Validation will be a bit more complex.
- Brian
44Net mailing list 44Net@hamradio.ucsd.edu http://hamradio.ucsd.edu/mailman/listinfo/44net http://www.ampr.org/donate.html
For now I have block most of the bogons plus 44/8 thusly:
/^(0.|10.|44.|127.|169.154.|192.168.|224.)/
Isn't it 169.254. ?
When I have more time I will create a more elegant table based filter, so we can allow/deny subnets.
Maybe it is worth to put 172.16.|172.17.|...|172.31. into the list (if it will not "break" the line :D)
73, Jann
For now I have block most of the bogons plus 44/8 thusly:
/^(0.|10.|44.|127.|169.154.|192.168.|224.)/
Isn't it 169.254. ?
Yes, it is, typo on my part
When I have more time I will create a more elegant table based filter, so we can allow/deny subnets.
Maybe it is worth to put 172.16.|172.17.|...|172.31. into the list (if it will not "break" the line :D)
That's why I didn't bother - too much typing :-/
I will work on a better filter soon.
Chris
Here's how you would match 172.16. through 172.32. /^172.(1[6-9]|2[0-9]|3[0-2])./
Note that periods mean "any single character". So to refer to a literal period, you need to escape it with a backslash first. However, since every combination you're looking for ends with a period, you could just specify it once at the end.
/^(0|10|44|127|169.254|172.(1[6-9]|2[0-9]|3[0-2])|192.168|224)./
On Fri, Mar 1, 2013 at 1:41 PM, Jann Traschewski jann@gmx.de wrote:
(Please trim inclusions from previous messages) _______________________________________________
For now I have block most of the bogons plus 44/8 thusly:
/^(0.|10.|44.|127.|169.154.|192.168.|224.)/
Isn't it 169.254. ?
When I have more time I will create a more elegant table based filter,
so we can allow/deny subnets.
Maybe it is worth to put 172.16.|172.17.|...|172.31. into the list (if it will not "break" the line :D)
73, Jann
-- Jann Traschewski, Lenbachstr. 6, D-90489 Nuernberg, Germany Tel.: +49-911-696971, Mobile: +49-170-1045937, E-Mail: jann@gmx.de Ham: DG8NGN / DB0VOX, http://www.qsl.net/dg8ngn _________________________________________ 44Net mailing list 44Net@hamradio.ucsd.edu http://hamradio.ucsd.edu/mailman/listinfo/44net http://www.ampr.org/donate.html
On Fri, 1 Mar 2013, Chris Smith wrote:
They have been removed and the owners informed, I am also putting in an additional check to ensure the tunnel endpoint is outside 44/8 as well as bogon / un-routable networks.
Will it take an IPv6 address as the tunnel endpoint? :)
Antonio Querubin e-mail: tony@lavanauts.org xmpp: antonioquerubin@gmail.com
On Sat, Mar 2, 2013 at 10:09 PM, Antonio Querubin tony@lavanauts.orgwrote:
(Please trim inclusions from previous messages) ______________________________**_________________ On Fri, 1 Mar 2013, Chris Smith wrote:
They have been removed and the owners informed, I am also putting in an
additional check to ensure the tunnel endpoint is outside 44/8 as well as bogon / un-routable networks.
Will it take an IPv6 address as the tunnel endpoint? :)
Antonio Querubin
If it can not take a v6 address now as an endpoint I'd hope maybe that's a feature that could be considdered for addition.
Eric AF6EP
Will it take an IPv6 address as the tunnel endpoint? :)
Antonio Querubin
If it can not take a v6 address now as an endpoint I'd hope maybe that's a feature that could be considdered for addition.
The system has been written with IPv6 in mind and can be "upgraded" fairly easily in the future, however currently, it does not accept an IPv6 address as an endpoint.
Regards, Chris
Not that it's a big problem, but since 'unsticking' the encap.txt 'send on change', I've been getting several messages a day with the only change being the $Id timestamp.
It's not causing any problems; just letting you know. It's *way* better than not getting it at all :-)
-Gary
I also began getting a barrage of emails so I simply reset to weekly notification for no other reason than to get a sense of the size of the encap file to see if it is growing or shrinking significantly. ~Ken KD6OAT
On Mar 12, 2013, at 1:23 PM, Gary Oliver go@wa7shi.us wrote:
(Please trim inclusions from previous messages) _______________________________________________ Not that it's a big problem, but since 'unsticking' the encap.txt 'send on change', I've been getting several messages a day with the only change being the $Id timestamp.
It's not causing any problems; just letting you know. It's *way* better than not getting it at all :-)
-Gary
44Net mailing list 44Net@hamradio.ucsd.edu http://hamradio.ucsd.edu/mailman/listinfo/44net http://www.ampr.org/donate.html
Not that it's a big problem, but since 'unsticking' the encap.txt 'send on change', I've been getting several messages a day with the only change being the $Id timestamp.
It's not causing any problems; just letting you know. It's *way* better than not getting it at all :-)
Yes, currently a "change" is anytime someone saves their gateway, even if they changed nothing and just hit the "Save" button, I will add to my TODO list (fairly low down) to do a diff on the data and update the changed flag only if something has actually changed.
Chris
-
Antonio Querubin -
Brian Kantor -
Chris Smith -
Cory (NQ1E) -
Eric Fort -
Gary Oliver -
Jann Traschewski -
K7VE - John -
KD6OAT