[160415] in North American Network Operators' Group
Re: L3 East cost maint / fiber 05FEB2012 maintenance
daemon@ATHENA.MIT.EDU (joel jaeggli)
Tue Feb  5 14:39:13 2013
Date: Tue, 05 Feb 2013 11:38:35 -0800
From: joel jaeggli <joelja@bogus.com>
To: Jason Biel <jason@biel-tech.com>, NANOG list <nanog@nanog.org>
In-Reply-To: <CAGpNY1EuwgwpnxVsGsHackG0WcroKn2dDabi3_h-YypCnaimfA@mail.gmail.com>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On 2/5/13 10:02 AM, Jason Biel wrote:
> Agree as well.
>
> Bad assumption on my part that Level3 would doing the items listed in the
> workaround already.
>
> On Tue, Feb 5, 2013 at 11:41 AM, Jonathan Lassoff <jof@thejof.com> wrote:
>
>> On Tue, Feb 5, 2013 at 9:33 AM, Jason Biel <jason@biel-tech.com> wrote:
>>> Workaround is proper filtering and other techniques on the RE/Loopback to
>>> prevent the issue from happening.
>> Agreed. However, if it only takes one packet, what if an attacker
>> sources the traffic from your management address space?
>>
>> Guarding against this requires either a separate VRF/table for
>> management traffic or transit traffic, RPF checking, or TTL security.
>> If these weren't setup ahead of time, maybe it would be easier to
>> upgrade than lab, test, and deploy a new configuration.
>>
>> This is all speculation about Level3 on my part; I don't know their
>> network from an internal perspective.
Routers that show up on exchange fabrics are a particular problem...
For this issue...
For what it's worth we have several dzone circuits with them from 
100mb/s office links to 10Gb/s paths and we have notifications for 
maintenances last night and tonight and touching locations in europe us 
east and us west coasts. I'm presuming that there is further internal 
work that is not directly impactful.
I have evidence of various other providers as well as ourselves 
undertaking  fixes to this issue.
>> --j
>>> Should an upgrade be performed? Yes, but certainly doesn't have to have
>>> right away or without notice to customers.
>>>
>>> On Tue, Feb 5, 2013 at 11:23 AM, Jonathan Lassoff <jof@thejof.com>
>> wrote:
>>>> My hunch is that this is fallout and repairs from Juniper PR839412.
>>>> Only fix is an upgrade. Not sure why they're not able to do a hitless
>>>> upgrade though; that's unfortunate.
>>>>
>>>> Specially-crafted TCP packets that can get past RE/loopback filters
>>>> can crash the box.
>>>>
>>>> --j
>>>>
>>>> On Tue, Feb 5, 2013 at 7:39 AM, Josh Reynolds <esseph@gmail.com> wrote:
>>>>> I know a lot of you are out of the office right now, but does anybody
>>>> have
>>>>> any info on what happened with L3 this morning? They went into a 5
>> hour
>>>>> maintenance window with expected downtime of about 30 minutes while
>> they
>>>>> upgraded something like *40* of their "core routers" (their words),
>> but
>>>>> also did this during some fiber work and completely cut off several of
>>>>> their east coast peers for the entirety of the 5 hour window.
>>>>>
>>>>> If anybody has any more info on this, on a NOC contact for them on the
>>>> East
>>>>> Coast for future issues, you can hit me off off-list if you don't feel
>>>>> comfortable replying with that info here.
>>>>>
>>>>> Thanks, and I hope hope you guys are enjoying Orlando.
>>>>>
>>>>> --
>>>>> *Josh Reynolds*
>>>>> esseph@gmail.com - (270) 302-3552
>>>>
>>>
>>> --
>>> Jason
>
>