[168193] in North American Network Operators' Group
Re: best practice for advertising peering fabric routes
daemon@ATHENA.MIT.EDU (Leo Bicknell)
Wed Jan 15 09:18:43 2014
From: Leo Bicknell <bicknell@ufp.org>
In-Reply-To: <166C4D5B-DA53-4D3A-BA9D-633D03E1FD35@arbor.net>
Date: Wed, 15 Jan 2014 08:18:13 -0600
To: "Dobbins, Roland" <rdobbins@arbor.net>
Cc: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
--Apple-Mail=_E70543F0-EB31-4A0C-92D4-0421FCC7F330
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
charset=iso-8859-1
On Jan 15, 2014, at 12:02 AM, "Dobbins, Roland" <rdobbins@arbor.net> =
wrote:
> Again, folks, this isn't theoretical. When the particular attacks =
cited in this thread were taking place, I was astonished that the IXP =
infrastructure routes were even being advertised outside of the IXP =
network, because of these very issues.
I know a lot of people push next-hop-self, and if you're a large ISP =
with thousands of BGP customers is pretty much required to scale.
However, a good engineer would know there are drawbacks to =
next-hop-self, in particular it slows convergence in a number of =
situations. There are networks where fast convergence is more important =
than route scaling, and thus the traditional design of BGP next-hops =
being edge interfaces, and edge interfaces in the IGP performs better.
By attempting to force IX participants to not put the route in IGP, =
those IX participants are collectively deciding on a slower converging =
network for everyone. I don't like a world where connecting to an =
exchange point forces a particular network design on participants.
> IXPs are not the problem when it comes to breaking PMTU-D. The =
problem is largely with enterprise networks, and with 'security' vendors =
who've propagated the myth that simply blocking all ICMP somehow =
increases 'security'.
That's some circular reasoning.
Networks won't 9K peer at exchange points for a number of reasons, =
including PMTU-D discovery issues.
Since there are virtual no 9K peering at exchange points, PMTU-D is a =
non-issue.
Maybe if IXP design didn't break PMTU-D it would help attract more 9K =
peers, or there might even be a future where 9K peering was required?
This whole problem smacks to me of exchange points that are "too big to =
fail". Since some of these exchanges are so big, everyone else must =
bend to their needs. I think the world would be a better place if some =
of these were broken up into smaller exchanges and they imposed less =
restrictions on their participants.
--=20
Leo Bicknell - bicknell@ufp.org - CCIE 3440
PGP keys at http://www.ufp.org/~bicknell/
--Apple-Mail=_E70543F0-EB31-4A0C-92D4-0421FCC7F330
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
filename=signature.asc
Content-Type: application/pgp-signature;
name=signature.asc
Content-Description: Message signed with OpenPGP using GPGMail
-----BEGIN PGP SIGNATURE-----
iQIVAwUBUtaYp7N3O8aJIdTMAQJWow/9EUXhHdVjnSnGnWyY3uhSNwvwouO1bN7F
LxhexB87RwcQ+WbPc5P7CLLVvswVSgp3Ev6faFwEd1ggYhV/AymIxCGjeXRGAopt
8SF8WeiTHB2a1VBX/RuMpApbKeD2l2fpfsyw048JQ61VxBjU2QrPnG4jzCIOCSo7
aYJRJWQGn/orcA9kg/siC335Ye6ODyIrDBFcmH+oGRJcYTRs4AnLVhnE+GRGLloN
ZElyisOUc6EnWz0Ijf+5VXBwS1XoTfXtKLbRBKJJX2iSzJwCyAoTjEna082KqQVU
oQZKC2pvJtgbI0CTu5RY56OBLbq48s5pJE5LQKViFM0CvtJBv0s0A/Ao9blSu2UT
SDNFizLmZ3IuTw7ueSzXy4uymX/1bfy608CNZhTXvdxwnG7BUwo/7eeptaklim8C
WAFv3aVTX/gccznNYI/9Hrz7VD96jDfAmfE6/Zo7XGoe0PVJPrjWbk9xKAbayP3m
HUYCur+2sfBKNWVABQhOV/RCJAzSpbkZGYuvaE3QMA4a/cUjNW92h+b/dpa8kgAm
QCiOJI7zYe3eBFWetQkaE1vsjotacKTQC/RTcklD7OxutoDc3h5Yj0NXQGlFmdpG
3l1rPsTkSAq8cGWpIDgXA1jWhuWib9EiEewPCR7eA6KgZ2p84JyEr5k7kR05HW/P
zfPrsxpHDqI=
=QbNg
-----END PGP SIGNATURE-----
--Apple-Mail=_E70543F0-EB31-4A0C-92D4-0421FCC7F330--
