[86465] in North American Network Operators' Group


home	help	back	first	fref	pref	prev	next	nref	lref	last	post
Re: BGP terminology question

daemon@ATHENA.MIT.EDU (NetSecGuy)
Sun Nov 6 14:21:27 2005

Date: Sun, 6 Nov 2005 14:21:00 -0500
From: NetSecGuy <netsecguy@gmail.com>
To: nanog@merit.edu
In-Reply-To: <655FE506-A389-466F-9314-6416F2C8C2C6@ianai.net>
Errors-To: owner-nanog@merit.edu


------=_Part_56218_15716127.1131304860639
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

At the risk of sounding like a total moron, can anyone explain what is
happening here?

This is from RIS, specifically RRC00. Here is some sample output of
route_btoa from this file:
http://data.ris.ripe.net/rrc00/2005.11/updates.20051106.0430.gz
<snip>
BGP4MP|1131251415|STATE|193.0.0.56|3333|1|2
BGP4MP|1131251415|STATE|193.0.0.56|3333|2|4
BGP4MP|1131251415|STATE|193.0.0.56|3333|4|5
BGP4MP|1131251415|STATE|193.0.0.56|3333|5|6
BGP4MP|1131251415|A|193.0.0.56|3333|8.11.252.0/23|3333 3356
11168|IGP|193.0.0.56|0|0||NAG||
BGP4MP|1131251415|A|193.0.0.56|3333|8.11.254.0/23|3333 3356
11168|IGP|193.0.0.56|0|0||NAG||
BGP4MP|1131251415|A|193.0.0.56|3333|8.10.241.0/24|3333 1103 1273 6395 22324
22324|IGP|193.0.0.56|0|0||NAG||
BGP4MP|1131251415|A|193.0.0.56|3333|8.15.2.0/24|3333 6320 8001 6395 26049
26049 26049 26049|IGP|193.0.0.56|0|0||NAG||
</snip>

I understand AS3333 is RIS itself, is this some kind of misconfig on their
end? It seems to be announcing it's entire table every 5 minutes. This
started late Friday and ended a few hours ago.


On 11/6/05, Patrick W. Gilmore <patrick@ianai.net> wrote:
>
> On Nov 6, 2005, at 1:05 PM, NetSecGuy wrote:
>
> > I asked this question on inet-access and it was suggested I try NANOG.
> >
> > I understand BGP flapping to be announcements followed by withdraws
> > over a short period. I am seeing a peer with a large number of
> > announcements and the normal number of withdraws. Is there a term
> > to describe what I am seeing? I'd like to understand what is
> > happening, but I've been looking for more info and can't seem to
> > find anything. I suspect I am just not using the right words to
> > search.
> >
> > If there isn't a term, why would a peer announce thousands of time
> > an hour with very few withdraws?
>
> There is a term, it's called "broken".
>
> A peer should never announce a route it has already announced unless
> that route is withdrawn. (If the session goes down or is reset, that
> counts as a withdrawal.)
>
> --
> TTFN,
> patrick
>

------=_Part_56218_15716127.1131304860639
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

At the risk of sounding like a total moron, can anyone explain what is happ=
ening here?&nbsp; <br>
<br>
This is from RIS, specifically RRC00.&nbsp; Here is some sample output of r=
oute_btoa from this file:<br>
<a href=3D"http://data.ris.ripe.net/rrc00/2005.11/updates.20051106.0430.gz"=
>http://data.ris.ripe.net/rrc00/2005.11/updates.20051106.0430.gz</a><br>
&lt;snip&gt;<br>
BGP4MP|1131251415|STATE|193.0.0.56|3333|1|2<br>
BGP4MP|1131251415|STATE|193.0.0.56|3333|2|4<br>
BGP4MP|1131251415|STATE|193.0.0.56|3333|4|5<br>
BGP4MP|1131251415|STATE|193.0.0.56|3333|5|6<br>
BGP4MP|1131251415|A|193.0.0.56|3333|8.11.252.0/23|3333 3356 11168|IGP|193.0=
.0.56|0|0||NAG||<br>
BGP4MP|1131251415|A|193.0.0.56|3333|8.11.254.0/23|3333 3356 11168|IGP|193.0=
.0.56|0|0||NAG||<br>
BGP4MP|1131251415|A|193.0.0.56|3333|8.10.241.0/24|3333 1103 1273 6395 22324=
 22324|IGP|193.0.0.56|0|0||NAG||<br>
BGP4MP|1131251415|A|193.0.0.56|3333|8.15.2.0/24|3333 6320 8001 6395 26049 2=
6049 26049 26049|IGP|193.0.0.56|0|0||NAG||<br>
&lt;/snip&gt;<br>
<br>
I understand AS3333 is RIS itself, is this some kind of misconfig on
their end?&nbsp; It seems to be announcing it's entire table every 5
minutes. This started late Friday and ended a few hours ago.<br>
<br>
<br><div><span class=3D"gmail_quote">On 11/6/05, <b class=3D"gmail_senderna=
me">Patrick W. Gilmore</b> &lt;<a href=3D"mailto:patrick@ianai.net">patrick=
@ianai.net</a>&gt; wrote:</span><blockquote class=3D"gmail_quote" style=3D"=
border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; paddi=
ng-left: 1ex;">
On Nov 6, 2005, at 1:05 PM, NetSecGuy wrote:<br><br>&gt; I asked this quest=
ion on inet-access and it was suggested I try NANOG.<br>&gt;<br>&gt; I unde=
rstand BGP flapping to be announcements followed by withdraws<br>&gt; over =
a short period.&nbsp;&nbsp;I am seeing a peer with a large number of
<br>&gt; announcements and the normal number of withdraws.&nbsp;&nbsp;Is th=
ere a term<br>&gt; to describe what I am seeing?&nbsp;&nbsp;I'd like to und=
erstand what is<br>&gt; happening, but I've been looking for more info and =
can't seem to<br>
&gt; find anything. I suspect I am just not using the right words to<br>&gt=
; search.<br>&gt;<br>&gt; If there isn't a term, why would a peer announce =
thousands of time<br>&gt; an hour with very few withdraws?<br><br>There is =
a term, it's called &quot;broken&quot;.
<br><br>A peer should never announce a route it has already announced unles=
s<br>that route is withdrawn.&nbsp;&nbsp;(If the session goes down or is re=
set, that<br>counts as a withdrawal.)<br><br>--<br>TTFN,<br>patrick<br></bl=
ockquote>
</div><br>

------=_Part_56218_15716127.1131304860639--

home	help	back	first	fref	pref	prev	next	nref	lref	last	post
[86465] in North American Network Operators' Group

Re: BGP terminology question

daemon@ATHENA.MIT.EDU (NetSecGuy)Sun Nov 6 14:21:27 2005

daemon@ATHENA.MIT.EDU (NetSecGuy)
Sun Nov 6 14:21:27 2005
