Andree Toonk Blog

Skip to end of sidebar Go to start of sidebar
Both Europe and Asia out of IPv4 addresses

Today RIPE NCC, the Regional Internet Registry for Europe, the Middle East and parts of Central Asia, started allocating IPv4 addresses from the last available /8.

This means it's getting really hard to get IPv4 address space in Europe. An ISP may receive the maximum of one /22 allocation (1,024 IPv4 addresses), even if they can justify a larger allocation. This /22 allocation will only be made to LIRs if they have already received an IPv6 allocation from an upstream LIR or the RIPE NCC.

APNIC (Asia pacific region) started allocating from their last /8 last year.

This means that rolling out a new ISP, Data centre, wireless network (LTE,4g,wifi) based on IPv4 is basically becoming impossible if you don't already have the IPv4 space.

In north America, ARIN still has 3 /8's and it's expected they will run out somewhere in the summer of 2013.
Time to move to IPv6!

Egypt falls off the Internet

I originally posted this on my blog at bgpmon.net and was later also published on circleid.com
Several other media have used my quotes to report on this subject.Some examples:

Different media are reporting that Internet and other forms of electronic communications are being disrupted in Egypt.  Presumably after a government order in response to the protests. Looking at BGP data we can confirm that according to our analysis 88% of the ‘Egyptian Internet’ has fallen of the Internet. In this post I’ll share some observations I made with regards to the reachability of Egyptian networks and providers.

What’s different in this case as compared to other ‘similar’ cases is that all of the major ISP’s seem to be almost completely offline. Whereas in other cases, social media sites such as facebook and twitter were typically blocked.  In this case the government seems to be taking a shotgun approach by ordering ISP’s to stop routing all networks.

Networks affected


When looking at the data it’s clear that many Egyptian networks have fallen off the Internet. Let’s start by looking at a quick summary. Yesterday there were 2903 Egyptian networks, originated from 52 ISP’s. Transit was provided via 45 unique isp’s.
Today at 2am UTC, the numbers look quite different, there were only 327 Egyptian networks left on the Internet. These were originated 26 by ISP’s.
So 88% of the Egyptian networks is unreachable!

 

Num of prefixes

Num of origin Asn

27-Jan

2903

52

28-Jan

327

26

Disappeared

2576

26

Below you'll find a table with the top 10 providers in Egypt. It shows how many Egyptian networks were announced earlier this week and how many are reachable today.

As you can see in the table below, right now most autonomous systems (ISP's) are no longer announcing any, or at the very least, significantly less prefixes.

Prefixes today

Prefixes earlier this week

origin AS

Provider name

20

775

8452

TE-AS TE-AS

0

774

24863

LINKdotNET-AS

113

676

36992

ETISALAT-MISR

0

217

24835

RAYA Telecom — Egypt

0

102

5536

Internet-Egypt

85

83

20928

Noor Data Networks

0

41

36935

Vodafone-EG

23

36

15475

Nile Online

14

28

8524

eg-auc

0

25

6127

IDSC

Interestingly the only provider that doesn't seem to be impacted by this is AS20928 (Noor Data Networks).

Below is the list of providers that are still announcing networks (based on routeviews data):

Network

Name

Number of routes

AS36992

Etisalat-Misr

104

AS20928

Noor Data Networks

83

AS24835

RAYA Telecom — Egypt

38

AS15475

Nile Online

23

AS8524

AUCEGYPT

14

AS2561

Egyptian Universities Network (EUN)

14

AS8452

TE-AS TE-AS

12

By looking at some Egyptian websites and looking at when they became unreachable we are able to determine when the problem started.

At this point egypt.gov.eg is offline. This network, 81.21.104.0/24 was withdrawn at January 27th at 22:28 UTC . Another example is www.ahram.org.eg an Egyptian news paper. This network 196.219.246.0/24, became unreachable at the exact same time, January 27th at 22:28 UTC.

Update (Jan 28 6:36 PM UTC) – At this point only 239 Egyptian networks are reachable, this means that 91% of the Egyptian routes are unreachable. Noor networks remains the only provider that seems to be unaffected by this. Vodafone has confirmed on their website, that they have been instructed to shutdown services in parts of the country.

Issues with allocating from 1.0.0.0 as the IPv4 Free Pool Drops Below 10%

The Number Resource Organization (NRO), the official representative of the five Regional Internet Registries (RIRs) that oversee the allocation of all Internet number resources, announced last week that less than 10 percent of available IPv4 addresses remain unallocated. This small pool of existing IP addresses marks a critical moment in IPv4 address exhaustion, ultimately impacting the future network operations of all businesses and organizations around the globe.

In the same week it was announced that IANA has allocated 1.0.0.0/8 to APNIC. This prefix must look familiar to many as we see it often in examples and documentation. And let’s be honest haven’t you used 1.1.1.1 on one of your test routers to quickly test something?
Receiving a prefix from this range might result in some issues in regards to duplicate announcements and duplicate address usages.

Duplicate announcements
If multiple networks announce the same prefix it might result in traffic being routed to the wrong network. This problem becomes even worse if someone else starts to announce a more specific of this network. Normally these ‘hijacks’ are not all that common, but with prefixes from this range it might be a bigger issue due to the nature of this prefix.
To try to quantify this I decided to take a look in the BGPmon.net database in which we have a complete collection of bogon announcements since May 2009. Any announcement in the 1.0.0.0/8 range in the last 9 months is recorded in this database.

In this 9 month period we detected 364 unique announcements for in prefix in the 1.0.0.0/8 range. If we group those announcements by origin AS and announced prefix we see 23 unique announcements.

prefix

OriginAS

AS_name

1.0.0.0/9

AS24785

JOINTTRANSIT-AS Open Peering BV trading as Joint Transit

1.1.0.0/16

AS47377

KPNBE T2 Belgium NV

1.1.0.0/24

AS3549

GBLX Global Crossing Ltd.

1.1.1.0/24

AS8300

Test-AS – Swisscom Ltd

1.1.1.0/24

AS30733

GLOBUS-AS GLOBUS-TELECOM Autonomous System

1.1.1.0/24

AS6503

Axtel, S.A.B. de C. V.

1.1.1.0/24

AS34695

E4A-AS E4A Primary AS

1.1.1.0/24

AS8218

NEO-ASN AS Confederation of Neotelecoms, euNetworks AG and Upstreamnet gmbh

1.1.1.0/24

AS3549

GBLX Global Crossing Ltd.

1.1.1.0/24

AS45899

VNPT-AS-VN VNPT Corp

1.1.1.0/24

AS16735

Companhia de Telecomunicacoes do Brasil Central

1.1.1.0/30

AS38091

HELLONET-AS-KR CJ-CABLENET

1.1.1.0/31

AS8359

COMSTAR COMSTAR-Direct global network

1.1.1.1/32

AS45400

NICNET Korea Telecom-PUBNET

1.1.1.10/31

AS8359

COMSTAR COMSTAR-Direct global network

1.1.2.0/30

AS3313

INET-AS I.NET S.p.A.

1.1.88.0/24

AS4645

ASN-HKNET-AP HKNet Co. Ltd

1.1.88.0/24

AS39386

STC-IGW-AS Saudi Telecom Company

1.120.0.0/13

AS23148

TERREMARK Terremark

1.2.3.0/24

AS19151

WVFIBER-1 - WV FIBER

1.20.23.178/32

AS26592

Dominio BR Consultoria em Informatica Ltda

1.40.0.0/13

AS23148

TERREMARK Terremark

1.80.0.0/13

AS23148

TERREMARK Terremark

A complete list of bogon announcements can be found here:
As you can see the 1.1.1.0/24 prefix is the most popular prefix, so we can only hope APNIC won’t allocate this prefix. Except maybe for a nice honeynet project.

Duplicate address usageDuplicate announcements are not the only thing networks in the 1.0.0.0/8 prefix have to worry about. As it turns out a number of organizations have used this prefix as an alternative for the RFC1918 prefixes. With the reasoning that many people already use 192.168.0.0, 10.0.0.0 or 172.16.0.0 , so chances of collisions are reasonable. So these bright minds came up with the idea of using a unallocated prefix as an alternative, such as for example 1.0.0.0/8

AnoNet
AnoNet is a private friend-to-friend network built using VPNs and software BGP routers. anoNet works by making it difficult to learn the identities of others on the network allowing them to anonymously host content and IPv4 services. Also see http://en.wikipedia.org/wiki/AnoNet
The prefix they use for this network is 1.0.0.0/8.
Apparently AnoNet is planning to do the same for their IPv6 initiative, as according to their website:
“Services are gradually being migrated to dual-stack. It is all in the de00::/8 range”
de00::/8 is a unallocated range, just as 1.0.0.0/8 used to be….

WIANA
Wiana is The Wireless Internet Assigned Numbers Authority, provides IP addresses for wireless devices from the 1.0.0.0/8 prefix.
Ironical WIANA claims to have been formed to meet the that need network policies are upheld.
According to their FAQ the reason for this prefix is that several protocols used already utilize the 10.x.x.x network for unregistered addresses during handshaking. Another class A network was required. Unfortunately for WIANA (and the future legitimate holder of this prefix) soon, the prefix they choose will no longer be unqiue.

Receiving a prefix from the 1/8 range
The role of the RIRS is to make sure prefixes are allocated to one organization only and as a result should be unique. With prefixes from the 1.0.0.0/8 prefixes this can no longer be guaranteed. Not because of multiple allocations by the RIR, but in this case by other organizations that thought it would a smart idea to choose a random unallocated prefix.
In order to prevent issue’s with BGP announcements, looking at the bogon announcements it’s probably a good idea to (at least not yet) allocate prefixes in the 1.1.0.0/16 range as these seem to be leaked the most.

As Alain Durand mentioned on Nanog: “Who said the water at the bottom of the barrel of IPv4 addresses will be very pure? We ARE running out and the global pain is increasing.

whois.bgpmon.net Another great tool for network admins

Earlier this week the BGPmon.net WebServices API was made available for everyone. This SOAP interfaces allows programmers to interface with the extensive bgpmon dataset.
One of the tools that I like best is the new whois service, that allows you to query any IPv4 or IPv6 address and returns the prefix that is found in the BGP tables for this address. In addition it will also show the country code for this prefix, Origin AS and AS name. See the example below:

Or if you would like to use this whois service for scripting purposes, you can use the -m flag.
The example below shows the machine readable output, i.e. easy to parse.

Note that in case of multiple origin ASNs, multiple objects are returned.

Google Wave for Research and Education

With Google Wave, Google introduces a very interesting new concept in the field of online collaboration. The fact that both human to human, human to
robot, and possibly even robot to robot interaction can be handled in a similar way, all based on open standards and in real time, introduces some very
exiting possibilities.

In a recently published report by SURFnet, the authors explore the possibilities of Google wave for Research and Education.
Will Google Wave be the Swiss Army Knife it is intended to be? Will it redefine the way researchers, educators and students collaborate?

The complete report can be found here:http://www.surfnet.nl/Documents/indi-2009-10-019%20(Rapport_Google_Wave).pdf

The Vatican taking the lead in IPv6 rollout?

IPv6 slowly seems to become more mainstream, we hear about IPv6 more and more and it seems that at least some Service providers and governments understand that there is a sense of urgency. Regularly we hear networks saying that they are planning to roll out IPv6 and vendors that are promising to make their products IPv6 ready.

But talk is cheap and the question remains, how far are we actually with rolling out IPv6 deployment? We tried to answer that question by looking at the Internet Routing tables.

IPv6 deployment ratio.
Each network in the global Internet has a unique Autonomous System (AS) number. An Autonomous System can be an Internet Service Provider (ISP), Enterprise network, content provider or any other sort of network. Each AS number announces one or more prefixes. By using Geo IP libraries we are able to determine a country for each prefix. This in turn allows us to determine the unique number of networks (AS numbers) per country. Doing this for both IPv4 as well as IPv6 will result in the IPv4/IPv6 deployment ratio.

Let’s look at for example at Canada. There are 816 Autonomous Systems that originate a prefix registered as in use in Canada. If we look at the IPv6 routing tables we see that 50 Autonomous Systems announce a Canadian IPv6 prefix. This results in an IPv6 deployment percentage of 6.1%. Meaning that 6.1% of the networks doing business in Canada are currently actively deploying IPv6.

Results
If we look at the global statistics, i.e. comparing all IPv4 Autonomous Systems with all IPv6 Autonomous Systems we see that the global IPv6/IPv4 deployment ratio is 5.26%. This is slightly higher than the 4.4% we measured in April 2009.
More results can be found here .

And the winner is
Jersey , a small country between England and France, is the only country scoring a 100% deployment ration. IPv4 and IPv6 prefixes registered to Jersey are only announced by one provider, AS8681 Jersey Telecom; resulting in a 100% ratio.

Jersey is followed by Cuba (75%), Oman, Monaco, Holy See (Vatican City State) and Fiji all scoring 50%. If we look at the bigger countries, i.e countries with at least a 100 (IPv4) networks we see that Czech Republic (19%), New Zealand(18%), Japan (17%) and The Netherlands (17%) are leading.

Are we on the right track?
Ideally the IPv6 deployment percentage should be around ~100%. Globally today we score a 5% ratio. Although this is one percent higher than half a year ago it’s still very low. Never the less, it’s positive to see that some individual countries such as Tunisia and Uruguay score surprisingly high. And also Europe and parts of Asia seem to be on the right track.

The complete article can be found here .

Telus CTO Ibrahim Gedeon about Net Neutrality
The best peering invitation ever

Peering relationships are always interesting. Last week there was an interesting discussion about IPv6 reachability between Hurricane electric and Cogent.
Hurricane Electric is currently by far the biggest IPv6 player, while Cogent is one of the biggest IPv4 players.

There's no IPv6 peering between the two, resulting in the fact the Hurricane Electric and Cogent clients can not reach each other.
As the story goes it seems that Cogent does not want a settlement free peering with Hurricane Electric.
In order to fix the reachability issue, Hurricane electric invited Cogent again, now in a more humorous approach:

How can you say No to that? (smile)

Juniper Networks and CANARIE Bolster Canada`s Ability to Conduct Big Science and Data-Driven Research

Juniper High Performance Ethernet Services Routers Advance the Capability of the
CANARIE Network, Creating New Research Opportunities for More Than 39,000
Canadian Scientists
SUNNYVALE, Calif. (Business Wire)
Juniper Networks (NASDAQ: JNPR), the leader in high-performance networking,
today announced that CANARIE Inc., Canada's advanced research and innovation
network, has implemented Juniper Networks MX Series Ethernet Services Routers
into its national network. This deployment will allow CANARIE`s 39,000
researchers at almost 200 universities in Canada, and their colleagues around
the world, to exchange and analyze large volumes of information more quickly,
driving innovation and important discoveries in areas such as treatments or
cures for infectious diseases or pandemics, environmentally sound energy
sources, new galaxies, and more effective ways to predict and respond to natural
disasters.

The announcement was made concurrent with the "Summit 09" conference in Banff,
Alberta, which runs through Friday, October 16.

read more at: http://www.reuters.com/article/pressRelease/idUS136583+13-Oct-2009+BW20091013

Augmented Reality, The next big thing?

Imagine being on vacation in an unknown city, looking for a good restaurant in the area. Just use the camera in your mobile phone to view the area around you and immediately you see all the local recommendations merged into your camera’s display. Small information widgets tell you details about distance, direction and rating, including thumbnail photos for a quick first glimpse.

We've long fantasized about applications like this. A new Iphone and Android app called Layar makes that fantasy happen. Real estate, banking and restaurant search companies have already created layers of information available on the platform.
There's even a 'layer' for finding EDUROAM hotspots (in The Netherlands only for now)!

Soon there will be a 'layer' for Vancouver city parks, community centres and Libraries!

For a demo see the video below, it is pretty impressive.



Larry Ellison- What The Hell Is Cloud Computing?

Interesting interview with Oracle's CEO Larry Ellison, about the term 'Cloud Computing'.
Ellison nearly shouted. “It’s not water vapor!. All it is, is a computer attached to a network.” Ellison blamed venture capitalist “nitwits on Sand Hill Road” for hype and abuse of cloud terminology. “You just change a term, and think you’ve invented technology."

Canadian ISP's Fight Back, Again

From Slashdot: http://yro.slashdot.org/story/09/09/25/1453243/Canadian-ISPs-Fight-Back-Again?from=rss

"With the recent CRTC decision giving Canadian telcos such as Bell and Telus the legal right to deny third-party ISPs access to their infrastructure, smaller Canadian Internet providers are again fighting for their lives, and are asking their customers for help. The ISPs are seeking public support, asking people to go to competitivebroadband.com to send either a form letter or a personalized message to the Industry Minister, the Prime Minister, the Opposition Leader, and optionally the respondent's local Minister of Parliament. If the CRTC's decision is not overturned, approximately 30 ISPs will likely be forced out of business. Competition in the ADSL market will be totally eliminated, and Canadians will have only two choices for wired Internet access: the local Cableco or the local Telco. Given that Canadian taxpayers have heavily subsidized the telcos in multiple ways for several decades, this decision to hand over exclusive control of the keys to the cookie jar hardly seems fair."

Google Policy Blog post about BC leading the way on Gov 2.0

According to a posting on Google's Policy Blog, British Columbia is leading on open data and open Government.
http://googlepublicpolicy.blogspot.com/2009/06/british-columbia-leading-on-open-data.html

Happy 1234567890!

For the real geeks amongst us, Happy 1234567890!

For the not so geeks amongst us, a quick explanation:

The Unix time is a system for describing points in time, defined as the number of seconds elapsed since of January 1, 1970 (UTC) also called the Unix epoch. The Unix timestamp is used by computers, routers, programmers etc.
So somewhere today it was exactly 1234567890 seconds since the Unix epoch!

Yeah I know... geek (wink)

Nanog45 summary

Last week I arrived back from the Dominican republic where I visited the Nanog45 conference. It was quite an interesting conference with lots of interesting people. The agenda was filled with a wide array of interesting subjects, I will highlight a few of them.
There was quite some attention for the deployment of 4bytes ASN's and the operational issues this causes in some of the implementations. As of January 1st 2009 when you apply for a new ASN you will receive a 32bit (4byte) AS number. This is because of the shortage of 16bit ASNs. http://nanog.org/meetings/nanog45/abstracts.php?pt=MTE5MiZuYW5vZzQ1&nm=nanog45 As it turns out the seamless migration scenario as described in the RFC's isn't all that seamless and in some corner cases this can cause your BGP sessions to flap. The RFC in question will be updates, the reflect the recommended changes. See presentation here. In the case of BCNET this is something to keep in mind as we are running a JUNos version with 4byte ASN support. The current UBC border routers are don't support this yet.

Another interesting subject was The BGP Hijacking and Tools BOF. A separate BOF about security tools and hijacks was organized to discuss this issue in more detail. I gave a presentation about  BGPmon.net. (http://nanog.org/meetings/nanog45/presentations/Sunday/Toonk_bgpmon_N45.pdf).  I created a screenscast of this presentation last week, for those interested you can see it here: http://bgpmon.net/screencast.php The presentation was received very well and there were some interesting questions, suggestions and feedback from the audience.
It's good to see that the subject of BGP security and especially hijacks are receiving more attention lately. During one of the Lightning talks for example a presentation was given about the risks of such hijacks for critical Internet infrastructure such as CC-TLD's and other root nameservers. The more I think about this the more I realize the potentials and the huge risks involved for the security of the Internet.  Especially if you consider how relatively easy it is to execute an attack like this.

In addition there was a very interesting presentation about a comparison of different BGP hijack detection technologies,A Comparative Analysis of BGP Anomaly Detection and Robustness Algorithms. After hearing that I think BGPmon.net is fairly unique in the way it detects and classifies hijacks by using a combination of user defined information, historical BGP data as well as IRR data.

There was also a lightning talk about theRPKI initiative, presented by Sandra Murphy from Sparta. The goal of RPKI is to be able to trust the data in the IRR databases, so we will be able to verify if the announcer of a prefix is really authorized to announce this. And although it does not solve all of the problems it is a great first step towards a more secure routing environment.

Other interesting subjects were the deployment of DNSSEC and the operational challenges this has. As always there were a few presentations about IPv6. The one that caught my attention was a presentation by Huricane electric, one of the main IPv6 players. They gave us some insight in the amount of IPv6 traffic they are currently doing. The numbers were not all that high as compared to IPv4 but still higher then expected and it's definitely growing fast.
Another amusing presentation was given by Remco van Mook, talking about the6to4 functionality in his new linksys DSL router. As it turns out these devices setup an 6to4 tunnel out of the box. This of course is a cool feature, the only problem is that it's undocumented and you're unable to turn it off.  This results in a security risks, basically opening up your network over IPv6 without being aware of this, and you can't turn it off, with out knowing about some hidden menu's.

The DNS operators in Chili (NIC Chile) gave an interesting presentation about there anycast plans and test environment to measure latencies. This resulted in an interesting brainstorm session between me, the .NL guys and some others about developing a algorithm using BGP data to determine where to locate your anycast servers.

These are just some of the highlights, all presentations can be downloaded here: http://nanog.org/meetings/nanog45/agenda.php. The conference was partly sponsored by the government of the Dominican republic.  At some point it was even announced that the president would come and visit us, eventually that didn't happen but they did organize a nice welcome party with typical Dominican food, music and dances. After the conference I had taken 2 days holiday to enjoy the nice weather in Caribbean. Some photos can be found here: http://www.toonk.ca/photo-index.php?album=2009-01-31%20Nanog45%20-%20Dominican%20Republic/