Re: Question on 7.0.0.0/8

["william(at)elan.net" <william () elan net>]

On Sat, 14 Apr 2007, Jon R. Kibler wrote:

> CYMRU has 7/8 listed as a bogon:
>         http://www.cymru.com/Documents/bogon-dd.html
>
> Their list is more or less authoritative, so I would believe that you should 
> never see traffic from that netblock. This is also consistent with Sprint 
> blackholeing it as a bogon in your original post.

Their list is no more "authoritative" then mine and I suspect they simply 
did not look into this netblock case before. Another bogon tracking
system http://www.cidr-report.org/#Bogons does not list it as bogon 
even though it does see same 7.1.1.0/24 announcement by Sprint.

I'm also curious to know why you think that Sprintlink is blackholing it?

-----

In case you're wondering they do route this block, here is where my
traceroute ends:
...
11  sl-bb20-rly-12-0.sprintlink.net (144.232.7.249)  79.181 ms  76.106 ms 
77.925 ms
12  sl-bb20-tuk-11-0.sprintlink.net (144.232.20.137)  97.675 ms  97.748 ms 
98.021 ms
13  sl-bb21-tuk-15-0.sprintlink.net (144.232.20.133)  97.672 ms  97.579 ms 
280.387 ms
14  sl-bb21-lon-14-0.sprintlink.net (144.232.19.70)  168.667 ms  169.151 
ms  179.363 ms
15  sl-bb23-lon-14-0.sprintlink.net (213.206.128.54)  168.879 ms  168.922 
ms  168.716 ms
16  sl-bb21-ams-3-0.sprintlink.net (213.206.129.142)  161.711 ms  161.816 
ms  180.609 ms
17  sl-bb20-ham-14-0.sprintlink.net (213.206.129.50)  167.782 ms  167.884 
ms  167.716 ms
18  sl-gw2-ham-0-0-0.sprintlink.net (217.147.96.100)  167.770 ms  167.928 
ms  168.193 ms
19  * * *

Last hop is in Germany which is a bit suspicious for supposed US DoD block 
but there are some military bases there after all...

Also there are some interesting messages about this netblock that one can
find on the net, like say:
 http://www.monkey.org/openbsd/archive/misc/0207/msg01215.html
 http://irisheagle.blogspot.com/2006_03_01_irisheagle_archive.html

> That said, it doesn't mean that the netblock is unused. Most likely it is
> a netblock that DoD actually uses, but it is only routed on DoD's private 
> backbone and never on the Internet.

If that is the case and they started using it in the days of J Postel
with his permission, then its not a bogon. Conflicting information at
ARIN and especially that their info was updated in 2006 leads me to 
believe that's the case. Add to it that I have several copies of old
DoD hosts table and they all list it as "EDN-TEMP", but what it refers
to and if the block should or should not still be in use I don't know.

Unfortunately all of this does not mean you should allow (or deny) traffic 
from 7.0.0.0/8, but it also does not mean that if you do see any traffic 
that its necessarily unauthorized.

> william(at)elan.net wrote:
> > Anybody know if 7.0.0.0/8 is or is not allocated to DoD?
> > The data at IANA and ARIN is kind-of confusing...
> >
> > ---------------------------------------------------------------
> > 7.1.1.0/24 ## AS1239 : SPRINTLINK : Sprint
> >            7.0.0.0 - 7.255.255.255 ## Bogon (unallocated) ip range
> > ---------------------------------------------------------------
> > http://www.iana.org/assignments/ipv4-address-space
> > 007/8   Apr 95   IANA - Reserved
> > ---------------------------------------------------------------
> > [IPv4 whois information for 7.0.0.1 ]
> > [whois.arin.net]
> >
> > OrgName:    DoD Network Information Center
> > OrgID:      DNIC
> > Address:    3990 E. Broad Street
> > City:       Columbus
> > StateProv:  OH
> > PostalCode: 43218
> > Country:    US
> >
> > NetRange:   7.0.0.0 - 7.255.255.255
> > CIDR:       7.0.0.0/8
> > NetName:    DISANET7
> > NetHandle:  NET-7-0-0-0-1
> > Parent:
> > NetType:    Direct Allocation
> > Comment:
> > RegDate:    1997-11-24
> > Updated:    2006-04-28
> >
> > OrgTechHandle: MIL-HSTMST-ARIN
> > OrgTechName:   Network DoD
> > OrgTechPhone:  +1-800-365-3642
> > OrgTechEmail:  HOSTMASTER () nic mil