Re: [GROW] some questions from {RC, LC, EC} analysis presentation in GROW

[Zhuangshunwan]

Hi Sriram,

Thanks for your great job! Your work has given me a very in-depth understanding 
of the propagation behavior of BGP community attributes on the Internet.
Regarding " Total # Unique {Prefix, RC = 3356:9999} ; 28", why is the number 
only 28? It may be that the mask of black hole routes is usually greater than 
24 (for IPv4 prefixes), preventing such routes from spreading widely on the 
Internet?
If the answer to the above question is "yes", then if other communities 
"ASN:666" are widespread in the wild, then such "ASN:666" may not be a black 
hole community attribute too? As far as I know, the other two examples are 
263:666 and 5511:666.

Regards,
Shunwan

-----Original Message-----
From: Sriram, Kotikalapudi (Fed) [mailto:kotikalapudi.sri...@nist.gov] 
Sent: Tuesday, August 10, 2021 1:07 AM
To: Zhuangshunwan <zhuangshun...@huawei.com>
Cc: Jeffrey Haas <jh...@pfrc.org>; GROW WG <grow@ietf.org>; IDR <i...@ietf.org>
Subject: Re: some questions from {RC, LC, EC} analysis presentation in GROW

I have heard back from Lumen/Level3 and they have confirmed the following: 

remarks:        prefix type communities
remarks:        --------------------------------------------------------
remarks:        3356:123 - Customer route
remarks:        3356:666 - Peer route

They also stated, “The 123 and 666 communities are announced to our customers 
intentionally.”

I think the above info is good from the point of view of our measurements. We 
no longer treat 3356:666 as a Blackhole community. So, we separate them from 
other ASN:666. We look at the propagation of 3356:666 and 3356:123. Both are 
meant to start at AS 3356 and are expected to propagate down the customer cone 
(according to the info from Lumen/Level3 above). We do observe very substantial 
numbers of 3356:666 and 3356:123:

RIB data (RouteViews3, 2021-07-15.0000):
Total # Unique {Prefix, RC = 3356:666} ; 509900 Total # Unique {Prefix, RC = 
3356:123} ; 399567 Total # Unique {Prefix, RC = 3356:9999} ; 28

This is somewhat along the lines of what Jeff was also requesting: measure the 
propagation against known applications. So, there are about 510K Unique 
{Prefix, RC = 3356:666} and 400K Unique {Prefix, RC = 3356:123}. They are 
observed propagating multiple hops starting from AS 3356 (we’ll update the 
slides with this distribution). Hopefully, much of this propagation is down the 
customer cone as expected. We don't know if some of them are route leaks, but 
we can try to check that as part of further investigation.

Any further thoughts/comments?

Sriram   
------------------------------------------

________________________________________
From: Sriram, Kotikalapudi (Fed) <kotikalapudi.sri...@nist.gov>
Sent: Wednesday, August 4, 2021 12:58 PM
To: Zhuangshunwan; Sriram, Kotikalapudi (Fed); GROW WG
Cc: IDR
Subject: Re: some questions from {RC, LC, EC} analysis presentation in GROW

Hi Shunwan,

Yes, that is a curious thing ... it seems peculiar and specific to AS 3356.
I have started a discussion on NANOG about 3356:666, 3356:9999, etc.
Please take a look:
https://mailman.nanog.org/pipermail/nanog/2021-August/thread.html#214447 

Only AS 3356 may be an outlier. Most other AS operators use ASN:666 or WKC 
65535:666 for Blackhole Community:
https://www.google.com/search?q=BGP+community+%3A666&rlz=1C1GCEV_enUS847US847&oq=BGP+community+%3A666&aqs=chrome..69i57j69i64.9798j1j15&sourceid=chrome&ie=UTF-8&safe=active&ssui=on
 

Also, we'll check -- on slide 12 of my GROW presentation -- out of the roughly 
265K count of unique {Prefix, AS Path, RC = Any:666}, how many are with 
3356:666. I will let you know.

Sriram

________________________________________
From: GROW <grow-boun...@ietf.org> on behalf of Zhuangshunwan 
<zhuangshun...@huawei.com>
Sent: Tuesday, August 3, 2021 10:37 PM
To: Sriram, Kotikalapudi (Fed); GROW WG
Cc: IDR
Subject: Re: [GROW] some questions from {RC, LC, EC} analysis presentation in 
GROW

Hi Sriram,

The community attribute example 3356:666 on page 10 may not match the actual 
function.
"
Example: AS path = 25160 3356 12956 6147 and RC = 3356:666  This means that 
the client is at AS 6147 (origin AS) and AS 3356 is the RTBH provider  AS 
Distance to RTBH provider = 2  Propagation (#hops): The Blackhole Community 
propagated 3 hops in this case (AS 6147 to AS 25160) "

According to https://onestep.net/communities/as3356/
...
--------------------------------------------------------
prefix type communities
--------------------------------------------------------
3356:123 - Customer route
3356:666 - Peer route
--------------------------------------------------------
...
--------------------------------------------------------
customer traffic engineering communities - Blackhole
--------------------------------------------------------
3356:9999 - blackhole (discard) traffic

Traffic destined for any prefixes tagged with this community will be discarded 
at ingress to the Level 3 network. The prefix must be one permitted by the 
customer's existing ingress BGP filter.
For some router vendors the peering
must be changed to an eBGP multihop session on the Level
3 side of the connection.
...

Regards,
Shunwan

_______________________________________________
GROW mailing list
GROW@ietf.org
https://www.ietf.org/mailman/listinfo/grow