[101676] in North American Network Operators' Group
RE: BGP Filtering
daemon@ATHENA.MIT.EDU (Ben Butler)
Tue Jan 15 13:27:11 2008
Date: Tue, 15 Jan 2008 18:08:53 -0000
From: "Ben Butler" <ben.butler@c2internet.net>
To: <nanog@merit.edu>
Errors-To: owner-nanog@merit.edu
This is a multi-part message in MIME format.
------_=_NextPart_001_01C857A1.B08C6040
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Hi Dave,
=20
Yes that is what I was thinking I want to do - so I am guessing here - I
think what we are saying is the /17s never get re-added when the /16 is
withdrawn because this does not - for very good reasons when I think
about it- cause the filter to be evaluated upon the withdrawal of a
prefix, only on when it is newly announced does it get checked - or
maybe the odd table scan in the code?? But basically the /17s just sit
there and continue to be filtered. Is that approximately correct?
=20
so umm, yes a default would be needed, ummm.
=20
Is it even technically possible to easily achieve though?
=20
Ben
________________________________
From: Dave Israel [mailto:davei@otd.com]=20
Sent: 15 January 2008 17:51
To: Ben Butler
Cc: nanog@merit.edu
Subject: Re: BGP Filtering
Ben,
I think I understand what you want, and you don't want it. If you
receive a route for, say, 204.91.0.0/16, 204.91.0.0/17, and
204.91.128.0/17, you want to drop the /17s and just care about the /16.
But a change in topology does not generally result in a complete update
of the BGP table. Route changes result in route adds and draws, not a
flood event. So if you forgot about the /17s and just kept the /16, and
the /16 was subsequently withdrawn, your router would not magically
remember that it had /17s to route to as well. You'd drop traffic,
unless you had a default, in which case you'd just route it
suboptimally.
-Dave
Ben Butler wrote:=20
Hi,
=09
Agreed that is why I have lots of RAM - doesn't mean I should
carry on
upgrading my tower of babble though to make it ever higher and
higher if
there is a better way of doing things.
=09
I still don't see how a default route to a portioned pop is
going to
help in the slightest - you are saved by getting the prefixes
from an
alternate transit and the default doesn't get used. Where is
does help
is to capture anything which has been filtered out completely
and then
there is no prefix from the alternate transit provider anyway -
so
whichever default gets used and takes its chances.
=09
Bogons - obviously.
=09
My question was if what I was asking was possible.
=09
Kind Regards
=09
Ben
=09
=09
-----Original Message-----
From: Joe Abley [mailto:jabley@ca.afilias.info]=20
Sent: 15 January 2008 17:07
To: Ben Butler
Cc: nanog@merit.edu
Subject: Re: BGP Filtering
=09
=09
On 15-Jan-2008, at 11:40, Ben Butler wrote:
=09
=20
Defaults wont work because a routing decision has to be
made, my=20
transit originating a default or me pointing a default
at them does=20
not guarantee the reachability of all prefixes..
=20
=09
Taking a table that won't fit in RAM similarly won't guarantee
reachability of anything :-)
=09
Filter on assignment boundaries and supplement with a default.
That
ought to mean that you have a reasonable shot at surviving
de-peering/
partitioning events, and the defaults will pick up the slack in
the
event that you don't.
=09
For extra credit, supplement with a bunch of null routes for
bogons so
packets with bogon destination addresses don't leave your
network, and
maybe make exceptions for "golden prefixes".
=09
=20
I am struggling to see a defensible position for why
just shy of 50%=20
of all routes appears to be mostly comprised of
de-aggregated routes=20
when aggregation is one of the aims RIRs make the LIRs
strive to=20
achieve. If we cant clean the mess up because there is
no incentive=20
than cant I simply ignore the duplicates.
=20
=09
You can search the archives I'm sure for more detailed
discussion of
this. However, you can't necessarily always attribute the
presence of
covered prefixes to incompetence.
=09
=09
Joe
=20
------_=_NextPart_001_01C857A1.B08C6040
Content-Type: text/html;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD><TITLE></TITLE>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Dus-ascii">
<META content=3D"MSHTML 6.00.6000.16544" name=3DGENERATOR></HEAD>
<BODY text=3D#000000 bgColor=3D#ffffff>
<DIV dir=3Dltr align=3Dleft><FONT face=3DArial color=3D#0000ff =
size=3D2><SPAN=20
class=3D168480118-15012008>Hi Dave,</SPAN></FONT></DIV>
<DIV dir=3Dltr align=3Dleft><FONT face=3DArial color=3D#0000ff =
size=3D2><SPAN=20
class=3D168480118-15012008></SPAN></FONT> </DIV>
<DIV dir=3Dltr align=3Dleft><FONT face=3DArial color=3D#0000ff =
size=3D2><SPAN=20
class=3D168480118-15012008>Yes that is what I was thinking I want to do =
- so=20
I am guessing here - I think what we are saying is the /17s never get =
re-added=20
when the /16 is withdrawn because this does not - for very good reasons =
when I=20
think about it- cause the filter to be evaluated upon the withdrawal of =
a=20
prefix, only on when it is newly announced does it get checked - or =
maybe the=20
odd table scan in the code?? But basically the /17s just sit there and =
continue=20
to be filtered. Is that approximately correct?</SPAN></FONT></DIV>
<DIV dir=3Dltr align=3Dleft><FONT face=3DArial color=3D#0000ff =
size=3D2><SPAN=20
class=3D168480118-15012008></SPAN></FONT> </DIV>
<DIV dir=3Dltr align=3Dleft><FONT face=3DArial color=3D#0000ff =
size=3D2><SPAN=20
class=3D168480118-15012008>so umm, yes a default would be needed,=20
ummm.</SPAN></FONT></DIV>
<DIV dir=3Dltr align=3Dleft><FONT face=3DArial color=3D#0000ff =
size=3D2><SPAN=20
class=3D168480118-15012008></SPAN></FONT> </DIV>
<DIV dir=3Dltr align=3Dleft><FONT face=3DArial color=3D#0000ff =
size=3D2><SPAN=20
class=3D168480118-15012008>Is it even technically possible to easily =
achieve=20
though?</SPAN></FONT></DIV>
<DIV dir=3Dltr align=3Dleft><FONT face=3DArial color=3D#0000ff =
size=3D2><SPAN=20
class=3D168480118-15012008></SPAN></FONT> </DIV>
<DIV dir=3Dltr align=3Dleft><FONT face=3DArial color=3D#0000ff =
size=3D2><SPAN=20
class=3D168480118-15012008>Ben</SPAN></FONT></DIV><BR>
<DIV class=3DOutlookMessageHeader lang=3Den-us dir=3Dltr align=3Dleft>
<HR tabIndex=3D-1>
<FONT face=3DTahoma size=3D2><B>From:</B> Dave Israel =
[mailto:davei@otd.com]=20
<BR><B>Sent:</B> 15 January 2008 17:51<BR><B>To:</B> Ben =
Butler<BR><B>Cc:</B>=20
nanog@merit.edu<BR><B>Subject:</B> Re: BGP =
Filtering<BR></FONT><BR></DIV>
<DIV></DIV><BR>Ben,<BR><BR> I think I understand what you want, =
and you=20
don't want it. If you receive a route for, say, =
204.91.0.0/16, =20
204.91.0.0/17, and 204.91.128.0/17, you want to drop the /17s and just =
care=20
about the /16. But a change in topology does not generally result =
in a=20
complete update of the BGP table. Route changes result in route =
adds and=20
draws, not a flood event. So if you forgot about the /17s and just =
kept=20
the /16, and the /16 was subsequently withdrawn, your router would not =
magically=20
remember that it had /17s to route to as well. You'd drop traffic, =
unless=20
you had a default, in which case you'd just route it=20
suboptimally.<BR><BR>-Dave<BR><BR><BR>Ben Butler wrote:=20
<BLOCKQUOTE=20
cite=3Dmid:F9181128E9584B40B5A04C43800604B406DCDE@anyanka.c2internet.net =
type=3D"cite"><PRE wrap=3D"">Hi,
Agreed that is why I have lots of RAM - doesn't mean I should carry on
upgrading my tower of babble though to make it ever higher and higher if
there is a better way of doing things.
I still don't see how a default route to a portioned pop is going to
help in the slightest - you are saved by getting the prefixes from an
alternate transit and the default doesn't get used. Where is does help
is to capture anything which has been filtered out completely and then
there is no prefix from the alternate transit provider anyway - so
whichever default gets used and takes its chances.
Bogons - obviously.
My question was if what I was asking was possible.
Kind Regards
Ben
-----Original Message-----
From: Joe Abley [<A class=3Dmoz-txt-link-freetext =
href=3D"mailto:jabley@ca.afilias.info">mailto:jabley@ca.afilias.info</A>]=
=20
Sent: 15 January 2008 17:07
To: Ben Butler
Cc: <A class=3Dmoz-txt-link-abbreviated =
href=3D"mailto:nanog@merit.edu">nanog@merit.edu</A>
Subject: Re: BGP Filtering
On 15-Jan-2008, at 11:40, Ben Butler wrote:
</PRE>
<BLOCKQUOTE type=3D"cite"><PRE wrap=3D"">Defaults wont work because a =
routing decision has to be made, my=20
transit originating a default or me pointing a default at them does=20
not guarantee the reachability of all prefixes..
</PRE></BLOCKQUOTE><PRE wrap=3D""><!---->
Taking a table that won't fit in RAM similarly won't guarantee
reachability of anything :-)
Filter on assignment boundaries and supplement with a default. That
ought to mean that you have a reasonable shot at surviving de-peering/
partitioning events, and the defaults will pick up the slack in the
event that you don't.
For extra credit, supplement with a bunch of null routes for bogons so
packets with bogon destination addresses don't leave your network, and
maybe make exceptions for "golden prefixes".
</PRE>
<BLOCKQUOTE type=3D"cite"><PRE wrap=3D"">I am struggling to see a =
defensible position for why just shy of 50%=20
of all routes appears to be mostly comprised of de-aggregated routes=20
when aggregation is one of the aims RIRs make the LIRs strive to=20
achieve. If we cant clean the mess up because there is no incentive=20
than cant I simply ignore the duplicates.
</PRE></BLOCKQUOTE><PRE wrap=3D""><!---->
You can search the archives I'm sure for more detailed discussion of
this. However, you can't necessarily always attribute the presence of
covered prefixes to incompetence.
Joe
</PRE></BLOCKQUOTE></BODY></HTML>
------_=_NextPart_001_01C857A1.B08C6040--
