[nsp] Updates - Ingress Prefix Filter Templates

Barry Raveendran Greene bgreene@cisco.com
Wed, 4 Dec 2002 11:53:35 -0800


Hello Everyone,

I've pushed out new versions of the ingress prefix templates. Had a
really good peer review of the list by Steve Gill. He is working on the
Junos flavored template. This review resulted in some nice tweaks and
additions to the list. You can down load the templates from:

ftp://ftp-eng.cisco.com/cons/isp/security/Ingress-Prefix-Filter-Template
s/

Here are the changes with version 1.11

+ Changes J-Root:

J.ROOT-SERVERS.NET.     192.58.128.0/24 

+ Added 82.0.0.0/8 for the new RIPE-NCC allocation.

+ Added a deny for 240.0.0.0/4 le 32 and changed 224.0.0.0/3 le 32 to
224.0.0.0/4 le 32.

+ Matching and adding more DNS G-TLD servers from:

	http://www.qorbit.net/documents/golden-networks

We need help refining the more specifics for the G-TLDs (see below). I
see /16s, /18s, and other big prefixes in the list. These big prefixes
worry me. It could mean that root servers administrator are not thinking
through the impact of a more specific prefix hijack and stacking several
critical servers on one segment. So, if people have the time and the
knowledge of the more specifics, please let me know. 

Thanks,

Barry


aero             | dns7.denic.de.       | 194.246.96.0/24 
aero             | merapi.switch.ch.    | 130.59.0.0/16   
aero             | ns3.knipp.de.        | 194.64.105.0/24 
aero             | tld1.nominum.com.    | 198.133.199.0/24
aero             | tld2.nominum.com.    | 192.100.59.0/24 
biz              | a.gtld.biz.          | 209.173.53.0/24 
biz              | b.gtld.biz.          | 209.173.57.0/24 
biz              | c.gtld.biz.          | 209.173.60.0/24 
biz              | d.gtld.biz.          | 213.86.0.0/16   
biz              | e.gtld.biz.          | 209.173.58.0/24 
biz              | f.gtld.biz.          | 209.173.58.0/24 
coop             | ns1.nic.coop.        | 198.133.199.0/24
coop             | ns2.nic.coop.        | 192.100.59.0/24 
gov edu          | a3.nstld.com.        | 192.5.6.0/24    
gov edu          | b3.nstld.com.        | 192.33.14.0/24  
gov edu          | c3.nstld.com.        | 192.26.92.0/24  
gov edu          | d3.nstld.com.        | 192.31.80.0/24  
gov edu          | e3.nstld.com.        | 192.12.94.0/24  
gov edu          | f3.nstld.com.        | 192.35.51.0/24  
gov edu          | g3.nstld.com.        | 192.42.93.0/24  
gov edu          | l3.nstld.com.        | 192.41.162.0/24 
gov edu          | m3.nstld.com.        | 192.55.83.0/24  
info             | tld1.ultradns.net.   | 204.74.112.0/24 
info             | tld2.ultradns.net.   | 204.74.113.0/24 
int              | ns.isi.edu.          | 128.9.0.0/16    
int              | ns.uu.net.           | 137.39.0.0/16   
int              | ns0.ja.net.          | 128.86.0.0/16   
int              | ns0.ja.net.          | 193.60.0.0/14   
int              | ns1.cs.ucl.ac.uk.    | 128.16.0.0/16   
int museum       | ns.icann.org.        | 192.0.34.0/24   
mil              | con1.nipr.mil.       | 199.252.128.0/18
mil              | con2.nipr.mil.       | 199.252.128.0/18
mil              | eur1.nipr.mil.       | 199.252.154.0/24
mil              | eur2.nipr.mil.       | 199.252.128.0/18
mil              | pac1.nipr.mil.       | 199.252.180.0/24
mil              | pac2.nipr.mil.       | 199.252.155.0/24
museum           | dns1.getty.edu.      | 153.10.0.0/16   
museum           | nic.icom.org.        | 195.7.64.0/19   
museum           | nic.museum.          | 130.242.0.0/15  
museum           | ns-ext.vix.com.      | 204.152.184.0/21
name             | a10.nstld.com.       | 192.5.6.0/24    
name             | f10.nstld.com.       | 192.35.51.0/24  
name             | g10.nstld.com.       | 192.42.93.0/24  
name             | l10.nstld.com.       | 192.41.162.0/24 
name             | ns1.nic.name.        | 193.109.220.0/24
name             | ns3.nic.name.        | 202.71.192.0/18 
pro              | a.iana-servers.net.  | 192.0.34.0/24   
pro              | b.iana-servers.net.  | 193.0.0.0/21