[168202] in North American Network Operators' Group
RE: best practice for advertising peering fabric routes
daemon@ATHENA.MIT.EDU (Siegel, David)
Wed Jan 15 11:04:13 2014
From: "Siegel, David" <David.Siegel@Level3.com>
To: NANOG list <nanog@nanog.org>
Date: Wed, 15 Jan 2014 16:03:53 +0000
In-Reply-To: <FCD15D12-8707-43AC-AE53-388C2918CE9A@ianai.net>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
UUnet once advertised the /24 for MAE-East to me (well, Net99), and because=
I also had it in my IGP, my network was using UUnet's backbone for west-to=
-east coast traffic for a couple of days until I noticed and fixed it (with=
next-hop-self).
I agree 100% with Patrick and others on this point. No good can come from =
propagating IXP address space any further than is absolutely necessary. Be=
st not to propagate it at all.
Dave
-----Original Message-----
From: Patrick W. Gilmore [mailto:patrick@ianai.net]=20
Sent: Wednesday, January 15, 2014 8:57 AM
To: NANOG list
Subject: Re: best practice for advertising peering fabric routes
On Jan 15, 2014, at 10:44 , William Herrin <bill@herrin.us> wrote:
> On Tue, Jan 14, 2014 at 10:11 PM, Patrick W. Gilmore <patrick@ianai.net> =
wrote:
>> NEVER EVER EVER put an IX prefix into BGP, IGP, or even static route.=20
>> An IXP LAN should not be reachable from any device not directly=20
>> attached to that LAN. Period.
>>=20
>> Doing so endangers your peers & the IX itself. It is on the order of=20
>> not implementing BCP38, except no one has the (lame, ridiculous,=20
>> idiotic, and pure cost-shifting BS) excuse that they "can't" do this.
>=20
> Hi Patrick,
>=20
> I have to disagree with you. If it appears in a traceroute to=20
> somewhere else, I'd like to be able to ping and traceroute directly to=20
> it. When I can't, that impairs my ability to troubleshoot the all too=20
> common can't-get-there-from-here problems. The more you hide the=20
> infrastructure, the more intractable problems become for your=20
> customers.
>=20
> The IXP LAN should be reachable from every device on the ASes which=20
> connect to it, not just the immediate router.
We disagree.
Plus, you really can't type "ping" on the router connected to the IXP?
_If_ you can guarantee your network has zero bots, abusable [DNS|NTP|etc.] =
servers, all your downstreams are perfectly clean, etc., etc., then maybe I=
could see you carrying it in your IGP.
As I know 100% of ISPs (to at least one decimal place) cannot make such a g=
uarantee, then doing so puts the IXP and all other members - whether peers =
of yours or not - at risk. Putting others at risk because you are lazy or b=
ecause it makes your life easier is .. I believe I called it bad manners be=
fore.
But let's take the philosophical out of this. The prefix in question is own=
ed by the IXP. I said in an earlier post that if you carry a prefix I own, =
did not announce to you, and make it very clear I specifically do not want =
you to carry, I will ask you to stop or face possible disconnection. You ma=
y claim convergence (a bit of BS), troubleshooting (non-issue, IMO), or eve=
n "but I waaaaaaaaaaaant to!!1!1!" (whatever). Doesn't matter. That's not y=
our prefix, you were not given it and told not to carry it, so Do Not Carry=
It.
Ask your IXP if they mind whether you carry the prefix. See what they say.
--
TTFN,
patrick
