Country IP Blocks has Released It's New Network Aggregation Module

CIPB

Country IP Blocks is please to announce the release of its new Network Aggregation Module for Members.

You can get information on this product here.

Are your ACLs large and difficult to maintain? Imagine being able to reduce the size of your country(ies) specific network blocks by 10%, to 75% or more.

To celebrate the release of our Members only network aggregation product we are releasing a free, onetime, USA and Canada combined aggregated network CIDR list. Through the miracle of aggregation we have reduced the size of the list from 50,207 networks to 12,806 networks. This is a reduction of approximately 75%, resulting in a much smaller footprint in your ACLs. This ACL was created on April 5, 2013 3:23 PM GMT -0700.

And once again we thank pfSense for its support over the years.

jimp

Great news!

I often wondered how much of that space was really contiguous but listed separately, and I guess that answers that question. :-)

CIPB

What we find even more interesting is the impact aggregation can have on the Regional Internet Registries (RIRs).

If we break down network assignments by RIRs and then aggregate the networks we see some astonishing reductions in the number of network entries in the final output (As of April 9, 2013).

Registry | Networks | After Aggregation | Size Reduction
AFRINIC |  2,377    |    770                |  77.6%
APNIC    | 21,562    |  3,059                | 85.8%
ARIN      | 50,731    | 11,510              | 73.3%
LACNIC  |  6,951  |  2,133              | 69.3%
RIPENCC | 51,997    |  5,505              | 89.4%

Aggregation makes large ACLs much smaller and easier to handle. We are excited about the prospects.

Think about the effect on firewalls and systems. The smaller footprint should make a huge difference.

jimp

Yes that saves a lot of memory and CPU cycles to process. Sounds like a win-win to me!

CIPB

Reducing the Size of Large Access Control Lists

If you manage ACLs (Access Control Lists) on Cisco Appliances, ipchains, IPtables, .htaccess or any other hardware or software firewall, chances are you have encountered excessively large ACLs, Country IP Blocks has solved this problem with our new network Aggregation Module.

Large ACLs are a bit unruly and present unique challenges from maintenance to the effect the ACL may have on your system resources. A very large ACL can negatively impact certain systems due to the processing power and memory required to make full use of the list. Our network Aggregation Module processes these large IPv4 network ACLs producing lists much smaller in size than the original.

After selecting the countries you want in your ACL and one of eleven data formats we begin the aggregation process by pulling the specific data from the appropriate database. Retrieved data is sorted and arranged by network address. Our next step is to process the data into contiguous networks. When this process is complete the new contiguous network blocks are then processed to create the fewest number of legal networks.

To see how this might look in a real world scenario we will combine US and Canadian networks as they appeared on April 11, 2013 at 11:36 AM GMT -0700: The United States and Canada have 50,249 public networks and 1,648,359,048 nodes or IP addresses assigned to the two countries. This is a very large list.

Converting these networks into contiguous network space reduces the potential size of the ACL to approximately 8,200 network ranges. Unfortunately, that list will not work in most commercial firewalls as these network ranges are not necessarily legal networks.
To solve this problem we process the network ranges through a complex algorithm to aggregate the final result into legal and acceptable networks. The final result is an ACL of 12,765 lines. This makes for a much more manageable list. The resultant 74.6% savings in ACL size should make anyone sit up and take notice.

This product is now available as an add-on to our regular membership. The combined package is $259.00 per year, per server/firewall where the data will be applied or used. Additional servers/firewalls or additional servers behind the firewall require a separate license for each server.

Take control of large ACLs and experience the benefits today.

CIPB

Incidentally, we are also providing free Bogon lists. These are updated every four hours in eleven different formats.

The Full Bogon lists are available here: https://www.countryipblocks.net/bogons.php