[195649] in North American Network Operators' Group
Re: Max Prefix Out, was Re: Verizon 701 Route leak?
daemon@ATHENA.MIT.EDU (Michael Still)
Thu Aug 31 10:02:50 2017
X-Original-To: nanog@nanog.org
In-Reply-To: <A6320415-7898-4F07-9FAE-265F2E8C2023@ip-clear.de>
From: Michael Still <stillwaxin@gmail.com>
Date: Thu, 31 Aug 2017 10:02:44 -0400
To: =?UTF-8?Q?J=C3=B6rg_Kost?= <jk@ip-clear.de>
Cc: "nanog@nanog.org" <nanog@nanog.org>, Job Snijders <job@ntt.net>
Errors-To: nanog-bounces@nanog.org
I think what this is is just a new (potentially) knob that can be
turned. If you don't want to turn it that's your deal, you run your
network how you want. There's been no suggestion that there be some
explicit default value or even that its turned on by default so
behavior won't change unless configured and if you configure it, you
are on the hook for knowing how that might affect the behavior of your
network.
I would expect BGP speakers (router vendors / software devs) to
implement this in a way such that it would syslog or otherwise trigger
when the number of outbound prefixes reaches a specific percentage (of
configured limit) or hard number so that either an engineer could
respond or automation take place to do something in response.
On Thu, Aug 31, 2017 at 9:21 AM, J=C3=B6rg Kost <jk@ip-clear.de> wrote:
> Hi,
>
> but in reality you will factorise and summarize outbound and inbound
> numbers, create spare room for sessions and failover scenarios and theref=
ore
> leaks and especially partial leaks can still occur.
>
> In another example scenario the BGP process may not only shutdown the
> session to B, that has run into an outbound warning, but all other sessio=
ns
> to prevent "leaks". Last-resort the router will only judge by the number =
of
> the prefixes and therefore could shutdown himself by accident, especially=
if
> this router was not the origin. That could be a global headache ;-)
>
> J=C3=B6rg
>
>
> On 31 Aug 2017, at 13:06, Job Snijders wrote:
>
>> Dear J=C3=B6rg,
>>
>> On Thu, Aug 31, 2017 at 12:50:58PM +0200, J=C3=B6rg Kost wrote:
>>>
>>> but isn't peer A prefix-out a synonym for peer B prefix-in, that will
>>> lead to the same result, e.g. a BGP teardown?
>>>
>>> I just feel that this will add another factor, that people will not
>>> use or abuse: neigh $x max-out infinite
>>
>>
>> I feel you may be overlooking a key aspect here: Currently all of us
>> rely on our peer's 'inbound maximum prefix limit', and obviously these
>> are not always set correctly. An 'outbound maximum prefix limit' offers
>> networks that care about the rest of the world the option to
>> 'self-destruct' the EBGP session in order to protect others.
>>
>
--=20
[stillwaxin@gmail.com ~]$ cat .signature
cat: .signature: No such file or directory
[stillwaxin@gmail.com ~]$
