[147239] in North American Network Operators' Group
Re: 128.0.0.0/16 configured as martians in some routers
daemon@ATHENA.MIT.EDU (Mark Tinka)
Tue Dec 6 04:25:21 2011
From: Mark Tinka <mtinka@globaltransit.net>
To: nanog@nanog.org
Date: Tue, 6 Dec 2011 17:23:53 +0800
In-Reply-To: <82zkf6t76h.fsf@mid.bfk.de>
Cc: Alex Le Heux <alexlh@ripe.net>
Reply-To: mtinka@globaltransit.net
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
--nextPart2088365.ZxIkrolrQE
Content-Type: Text/Plain;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
On Tuesday, December 06, 2011 04:50:46 PM Florian Weimer wrote:
> Would someone please clarify the impact? Will it result in a blackhole,
> or will the entire announcement be suppressed? I suspect the latter,
> given what we see and what Chris Adams has reported.
This is what we see on Cisco IOS and IOS XR boxes:
lab#sh ip bgp 128.0.0.0
BGP routing table entry for 128.0.0.0/21, version 260804693
Paths: (2 available, best #1, table default)
Advertised to update-groups:
2 =20
3491 3257 1103 12654
61.11.xxx.yy (metric 34400) from 61.11.xxx.zz (61.11.xxx.zz)
Origin IGP, metric 0, localpref 100, valid, internal, best
Community: 24218:1
Originator: 61.11.xxx.yy, Cluster list: 0.0.0.2
3491 3257 1103 12654
61.11.xxx.yy (metric 34400) from 61.11.xxx.ww (61.11.xxx.ww)
Origin IGP, metric 0, localpref 100, valid, internal
Community: 24218:1
Originator: 61.11.xxx.yy, Cluster list: 0.0.0.2
lab#
RP/0/RSP0/CPU0:lab#sh route 128.0.0.0
Tue Dec 6 17:09:13.439 MYT
Routing entry for 128.0.0.0/21
Known via "bgp 24218", distance 200, metric 0
Tag 3491, type internal
Installed Dec 4 20:00:33.089 for 1d21h
Routing Descriptor Blocks
61.11.xxx.yy, from 61.11.yyy.zz
Route metric is 0
No advertising protos.=20
RP/0/RSP0/CPU0:lab#
This is what we see on an unfixed Juniper:
tinka@lab# run show route 128.0.0.0=20
inet.0: 384214 destinations, 768288 routes (384212 active, 0 holddown, 4 hi=
dden)
Restart Complete
+ =3D Active Route, - =3D Last Active, * =3D Both
0.0.0.0/0 *[Static/5] 20w2d 13:21:14
Discard
[edit]
tinka@lab#
tinka@lab# run show route 128.0.0.0/21=20
inet.0: 384218 destinations, 768296 routes (384216 active, 0 holddown, 4 hi=
dden)
Restart Complete
[edit]
tinka@lab#
tinka@edge-gw-1-sin-pip.sg# run show route 128.0.0.0/21 hidden =
=20
inet.0: 384224 destinations, 768308 routes (384222 active, 0 holddown, 4 hi=
dden)
Restart Complete
+ =3D Active Route, - =3D Last Active, * =3D Both
128.0.0.0/21 [BGP/170] 1d 21:17:54, MED 0, localpref 100, from 61.11=
=2Exxx.ww
AS path: 3491 3257 1103 12654 I
> to 124.158.xxx.uu via ge-0/0/0.0, Push 16052
to 124.158.xxx.vv via ge-0/0/0.0, Push 16017
to 124.158.xxx.ww via ge-0/1/0.0, Push 16052
to 124.158.xxx.xx via ge-0/1/0.0, Push 16017
[BGP/170] 1d 21:17:54, MED 0, localpref 100, from 61.11=
=2Exxx.zz
AS path: 3491 3257 1103 12654 I
> to 124.158.xxx.uu via ge-0/0/0.0, Push 16052
to 124.158.xxx.vv via ge-0/0/0.0, Push 16017
to 124.158.xxx.ww via ge-0/1/0.0, Push 16052
to 124.158.xxx.xx via ge-0/1/0.0, Push 16017
[edit]
tinka@edge-gw-1-sin-pip.sg#
tinka@lab# run show route 128.0.0.0/21 hidden extensive | match State=20
State: <Hidden Martian Int Ext>
State: <Hidden Martian Int Ext>
[edit]
tinka@lab#
tinka@lab# run show interfaces terse
<snip>
=2E..
fxp1 up up =20
fxp1.0 up up inet 10.0.0.1/8 =20
10.0.0.4/8 =20
128.0.0.1/2 =20
128.0.0.4/2 =20
inet6 fe80::200:ff:fe00:4/64
fec0::a:0:0:4/64
tnp 0x4=20
<snip>
=2E..
[edit]
tinka@lab#
This is what we see on a Cisco router which lives behind
an unfixed Juniper router that is peering externally:
lab#sh ip bgp 128.0.0.0
% Network not in table
lab#
So our deduction - if a Juniper router is in the data path,
it will blackhole traffic destined to this address.
If a Juniper is in the control plane path, it will=20
filter this prefix and not send it to the rest of the=20
network.
Either way, you're screwed :-).
Cheers,
Mark.
--nextPart2088365.ZxIkrolrQE
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
iQIcBAABAgAGBQJO3d8sAAoJEGcZuYTeKm+GGL8P/Rq/DyZ5gmbm+S5PfdrFOuS9
le4SpayqxeICH8UB/UMvc91+DKrVVreUsunb1w/6jsbXdJinkFqhbBUopSdM2pOs
pgPIbktKGwJHWt6J58It7u5DM+wp9JIcHh5gJmEpfatCNz3RryOvU+/v+3jJbaki
D5cH/00HjBg28Ni0LNKM+vvROPba/gxqAQlg4INvXeRzBoEfK1Q8VLG6EOsZzC9N
Bsbr5ZGOZUxv7LmVmN5nhZbt/I9zBgXKqcpyBFfjGx1Pq+7o44ldQ07QjTNc6Mru
HPbKyDep9GRc7EH4VGia0YJIYMLyeH8jJ7pRLqE0PoJVCDDV/53EHiAVrnnMOr0v
MfOnVqxw9ZbSW7k2CyweGt622HCFV8sZk1kDSKgdAzdGHbkAEbRobNLZ7e/ARru9
sRp95qLJzaSNVLkYf0wriN2351lObVxu2Uobw4E7ywXAvO0v7okcMhGKLzAZ5Z+o
X9BkEOLMxdvQ6jhLZMqo+j+dTfc34MpZxzOuxznn2zU15BTjbVIrH1Uut+xBOaFL
Z9nl2SvNhyXzEwazerotEbiHFlv0vB+j5jzGw4JmfIxvts3dMq+YUl96i9v0Wbnz
LvzYblmi39jy7ZTTXmc21u+0NPca6ycJ5n/LDCYCaoJvt47JT659+GvXKvZ5f197
jVGogmpthCpiRjVG1ZLZ
=5Q04
-----END PGP SIGNATURE-----
--nextPart2088365.ZxIkrolrQE--
