Re: BGP route flap damping

[Kim Onnel]

Do this, configure and use blackhole routing with your upstream, this is how you stop an attack

How to detect it, use netflow.

On 1/16/06, Patrick W. Gilmore [EMAIL PROTECTED] wrote:
On Jan 16, 2006, at 8:48 AM, Gustavo Rodrigues Ramos wrote: Patrick W. Gilmore wrote: Not much you can do about this in general.In your specific case, since we don't know why your sessions died, we don't know what to
 suggest to stop it.Perhaps change the timers with your upstream? My BGP connections (and annoucements) with/to my ISPs are all fine. The problem takes place five or six AS far from me... Where I can't do
 much. I still can't reach some prefixes announced by large ISPs. At the first time, I thought an e-mail to the NOC of the network I can't reach can solve the problem, but it was a waste of time...
I'm a little confused.Are you saying you dampened the prefixes of some other network?Ifso, it sounds like this is 100% in your control.If the BGP sessions between you and your upstreams / peers never
flapped, no one should have dampened you.(I can see it possiblyhappening if someone else in the path between you and $OtherNetworkis attacked and therefore flaps your routes, but that would affect alot of networks, not just you.)
--TTFN,patrick

Agenda topics for Dallas

[Susan Harris]

Greetings - here are the talks we've lined up so far for Dallas. Stay 
tuned - we'll be adding new topics often.


SUNDAY ACTIVITIES
-
Newcomer's Orientation and Reception 3:30 - 5:00 p.m.
Steering Committee Community Meeting 5:00 - 7:00 p.m.
Welcome Reception, (fabulous) location TBA   6:30 - 11:00 p.m.

GENERAL SESSION (Monday, Tuesday, Wednesday morning)


  - Searching for DNS Cache Poisoners
   Duane Wessels, Measurement Factory/CAIDA

  - How Prevalent is Prefix Hijacking on the Internet?
   Peter Boothe and James Hiebert, Univ. of Oregon; Randy Bush, IIJ

  - Hurricane Katrina: Telecom Infrastructure Impacts, Solutions,
   and Opportunities
   Paula Rhea, Verizon

  - Flamingo: An Internet Traffic Exploration Tool
   Manish Karir, Merit

  - NVisionIP and VisFlowConnect-IP: Two Tools for Visualizing NetFlows
for Security
   Bill Yurcik, NCSA

  - Panel: Time for the Transition or Just More GOSIP?
   Dan Golding, Burton Group, moderator

  - IRR Power Tools: a Utility for Managing Internet Routing Registry
Filters
   Richard Steenbergen, nLayer Communications

  - Flooding Attacks by Exploiting Persistent Forwarding Loops
   Jianhong Xia, Lixin Gao and Teng Fei, University of Massachusetts

  - Clear and Present Increase of  Queries
   Tsuyoshi Toyono, Keisuke Ishibashi, Katsuyasu Toyama, NTT Labs

  = v6fix: Fighting Against an IPv6 Pandemic
   Kenjiro Cho, WIDE Project/IIJ, Ruri Hiromi, WIDE Project/Intec NetCore

RESEARCH FORUM
--

  - An Inter-domain Consistency Management Layer
   Nate Kushman, MIT

TUTORIALS (Monday/Tuesday afternoon)


  - Troubleshooting BGP
   Level: Introductory
   Philip Smith, Cisco

   - Overview of QoS for Packet-based IP and MPLS Networks
   Level: Introductory/Intermediate
   Paresh Shah, Utpal Mukhopadhyaya, and Arun Sathiamurthi, Cisco

BOFS (Monday/Tuesday afternoon)


   - Tools BOF
   Todd Underwood, Renesys, Moderator

   - ISP Security and NSP-SEC BOF XI
   Danny McPherson, Arbor, Moderator

   - Peering BOF XI
   William B. Norton, Equinix, Moderator

Abstracts are linked off this page:

http://www.nanog.org/mtg-0602/topics.html

See y'all next month.

[afrinic-discuss] AfriNIC to start allocating from 41/8 (fwd)

[william(at)elan.net]

FYI:

-- Forwarded message --
Date: Mon, 16 Jan 2006 13:59:15 +0200
From: Ernest, B.M (AfriNIC - ZA) [EMAIL PROTECTED]
Reply-To: AfriNIC Discuss afrinic-discuss@afrinic.net
To: afrinic-discuss@afrinic.net
Cc: [EMAIL PROTECTED], afnog@afnog.org
Subject: [afrinic-discuss] AfriNIC to start allocating from 41/8

Dear Colleagues,

As you may be aware, AfriNIC received a 41/8 block from IANA
in April 2005. With effect from February 2006, all IPv4
address space allocated within the AfriNIC service region
will be made from 41/8.

The 196/8 block previously used for allocations in AfriNIC
service region will now be used only for direct end-user (PI)
assignments.

This is therefore a notice that any filters you have may need
appropriate adjustments.

Kind regards,

Ernest,
AfriNIC.
___
afrinic-discuss mailing list
afrinic-discuss@afrinic.net
http://lists.afrinic.net/mailman/listinfo.cgi/afrinic-discuss

Re: Intradomain Traffic Engineering

[Deepak Jain]

1. In the traces I have, there exist several intervals with a huge, 
sudden increase of traffic on some links. The prediction model I use 
cannot predict those 'big spikes'. Do these 'big spikes' really happen 
in operational networks? Or are they merely measurement errors? If they 
really happen, is there a gradual ramp up of traffic in smaller time 
scale, say, on the order of tens of seconds? Or do these 'big spikes' 
really occur very quickly, say, in a few seconds?
2. I have the option to make a tradeoff between average case 
performance and worst case performance guarantee, but I don't know which 
one is deemed more important by you. Are ISP networks currently 
optimized for worst case or average case performance? Is the trade-off 
between these two an appealing idea, or may the ISP networks are already 
doing it?


This email covers a lot of issues, perhaps it'll start a discussion.

I think the question depends on how big a core you are talking about. 
Excluding local effects (the operator of the network bounces a link or 
loses a router, etc), I doubt if you have a significantly large network 
you have many effects that shift traffic faster than 10s of seconds 
(upperbound on this statement is ~30 seconds).


For example, if you lose a BGP session, it may take more than 30 
seconds for the router to notice it. Once it realizes that its gone, it 
may re-route traffic very rapidly. But it would still take a while (at 
least a few seconds for a local link, more for a backbone link) before 
that traffic really renormalizes). This has more to do with TCP noticing 
packet loss, backing off [only for the traffic that has been effected] 
and starting back up. It takes up to half a second to *establish* a 
single TCP session on an average latency link.


So, the trick would be to discover the traffic has gone or gone wonky 
before the BGP session is dropped. This would allow your algorithm to 
back off until a new /normal/ has been established.


However, the talk of traffic engineering and maximum utilization always 
come into vogue when folks want to squeeze more utilization out of their 
networks without really spending more money. IMO, the best time to use 
TE is when customer-links to your network approach your maximum core 
speed [relative here... there is /core/ in your datacenter/pop and there 
is /core/ that is your network to the point the packets get handed off 
on average]. Often this limit on the operator's core is technology 
imposed (though budgetary concerns get in there too).


I think the technology doesn't really exist at a scalable level to 
operate for the worst-case scenario, despite what some people may say. 
Our traffic measurement/link measurement tools are almost all average... 
and spot checks are of only marginal value. I would suggest that this 
is because of the nature of TCP. If the Internet were UDP based, there 
would be a *lot* more flash traffic problems. So, for those who have a 
high amount of UDP traffic (media streamers, DNS hosts, etc) would have 
a very different experience.


I'm not the first person to say it, and I can't remember the first place 
I heard it... but I'd suggest that the core is not where TE has the best 
 benefits. Cores by their nature need to be overengineered. You have 
very little flexibility because the demands on them are wide [they need 
to handle UDP and TCP, low latency and high latency acceptable 
applications with aplomb].


TE belongs to the Customer or non-backbone operating ISP. If one were to 
start an ISP where all residential customer connections were 1Gb/s I 
could conceivably have thousands of customers operating without needing 
200Gb/s of uplink [assuming that were really feasible for a network with 
very little traffic terminating on the network]. By using TE I could 
shape my peak traffic needs (MLU) to approach my average. This would 
make me a much more desirable customer to sell transit to.


TE, MLU, and other concerns while most well understood by 
core-operators, aren't by customers. Core operators may eventually need 
to push these concerns to customers if backbone link speeds do not stay 
far above end-user connection speeds. [on an ICB basis, they are -- 
whenever you want to buy a few OC-48s in a single POP or an OC-192 
customer connection, someone is always going to ask you what your 
traffic looks like and when]. This would be easiest to push over by 
providing differential pricing. Enforcement and Analysis of *what* is a 
desirable traffic pattern and what financial value that provides is 
where we are largely lacking today. Since a customer knows their traffic 
 and their needs better than a core operator, they would be much better 
at enforcing traffic flows/engineering. This is better than a core that 
optimizes for its own link utilization instead one that just tries to 
stay as empty as possible for as long as possible.


This is way early in the day for me, so this may not make any sense.

YMMV,

Re: GoDaddy.com shuts down entire data center?

[Per Heldal]

On Mon, 16 Jan 2006 11:36:39 -0800, Joe McGuckin [EMAIL PROTECTED] said:
 By all means, the Justice Dept. and police should move against anyone
 performing illegal acts such as phishing, I just don't think that it is
 ICANN or ARIN and GoDaddy's job to police good net citizenship.

You forget that the internet-services are based on best-effort. Anything
else will require accountability for everyone involved. That is
accountability going both ways so that users also can be held
accountable for *all* their actions. To achieve that you'll have to toss
any idea of anonymity for internet users. Wonder if that is what those
who complain about restricive AUPs really want ;)

Besides, whose authorities should do excactly what? Global legislation
for the internet is just about as big an illusion as the new economy
the internet once was assumed to create.

//per
-- 
  Per Heldal
  http://heldal.eml.cc/

Yahoo Reception is Monday not Sunday

[Susan Harris]

Oopsie - I misspoke below:


SUNDAY ACTIVITIES
-
Newcomer's Orientation and Reception 3:30 - 5:00 p.m.
Steering Committee Community Meeting 5:00 - 7:00 p.m.
Welcome Reception, location TBA  6:30 - 11:00 p.m.


Yahoo's Welcome Reception is actually *Monday* evening, not Sunday.
The Beer 'n Gear is Tuesday evening. Sorry for the confusion.

Network Solutions DNS Outage

[Justin M. Wilson]

Network Solutions seem to be having a DNS outage--the worldnic servers 
are timing out--all of the domains they host DNS for seem to be down.


Customer Service indicated that they were having a problem, and were 
working to resolve it.



Justin M. Wilson
[EMAIL PROTECTED]

Cisco Security Advisory: IOS Stack Group Bidding Protocol Crafted Packet DoS

[Cisco Systems Product Security Incident Response Team]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Cisco Security Advisory: IOS Stack Group Bidding Protocol Crafted
Packet DoS

Document ID: 68793

Advisory ID: cisco-sa-20060118-sgbp

http://www.cisco.com/warp/public/707/cisco-sa-20060118-sgbp.shtml

Revision 1.0


For Public Release 2006 January 18 1600 UTC (GMT)

- -

Contents


Summary
Affected Products
Details
Impact
Software Versions and Fixes
Workarounds
Obtaining Fixed Software
Exploitation and Public Announcements
Status of This Notice: FINAL
Distribution
Revision History
Cisco Security Procedures

- -

Summary
===

The Cisco IOS Stack Group Bidding Protocol (SGBP) feature in certain
versions of Cisco IOS software is vulnerable to a
remotely-exploitable denial of service condition. Devices that do not
support or have not enabled the SGBP protocol are not affected by
this vulnerability.

Cisco has made free software available to address this vulnerability
for affected customers. There are workarounds available to mitigate
the effects of the vulnerability.

This advisory is posted at 
http://www.cisco.com/warp/public/707/cisco-sa-20060118-sgbp.shtml

Affected Products
=

Vulnerable Products
+--

This vulnerability affects any device that runs Cisco IOS and has
enabled the SGBP protocol. SGBP is enabled by defining a stack group,
which is done using the global IOS command sgbp group name. The
presence of this command will cause the device to begin listening on
port 9900, even if the remaining SGBP parameters are not fully
configured.

The following examples demonstrate device configurations for which
SGBP is enabled:

Router#show sgbp
Group Name: test Ref: 0xA3728C00
Seed bid: default, 50, default seed bid setting

Or:

Router#show running-config | include sgbp
sgbp group test_group

If your device displays output similar to either of the above
examples, please consult the IOS software table below to determine
whether your version of IOS is affected.

Products Confirmed Not Vulnerable
+

Cisco products that do not run IOS, do not contain support for SGBP,
or do not have SGBP enabled are not affected by this vulnerability.

Systems on which SGBP is not supported or enabled will return either
blank output or an error message. The following examples demonstrate
device configurations that are not affected by this vulnerability:

  * A system that supports but is not enabled for SGBP returns this
output:
   
Router#show sgbp
Router#
   
  * A system that does not support SGBP returns this error message:
   
Router#show sgbp
Router#show sgbp
 ^ 
% Invalid input detected at '^' marker.
   
Details
===

Multilink PPP (MLP) allows users to combine multiple PPP links into a
single logical network connection, thus enabling on demand bandwidth
allocation. When implemented across multiple device chassis, this is
known as Multichassis Multilink PPP (MMP). The Stack Group Bidding
Protocol is the mechanism by which devices participating in MMP
locate each other and negotiate for a connection termination point.

The SGBP implementation provided by the Cisco Internetwork Operating
System (IOS) is susceptible to a denial of service attack when
presented with a crafted UDP packet. Sending such a packet to port
9900 of an affected device will cause it to freeze and stop
responding to or passing traffic. After a delay, the system watchdog
timer will detect this condition and force a reset of the device. The
system recovery behavior will be controlled by the device
configuration register; for example, the router may reload or drop to
the ROM monitor.

This vulnerability is documented in Cisco bug ID CSCsb11124. 

Impact
==

Successful exploitation of this vulnerability may cause the affected
device to become unresponsive and trigger a hardware reset, resulting
in a denial of service condition.

Software Versions and Fixes
===

Cisco has provided updated software to address this vulnerability.
For further details, please refer to the software table below.

When considering software upgrades, also consult 
http://www.cisco.com/go/psirt
and any subsequent advisories to determine exposure and a complete
upgrade solution.

In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.

Each row of the Cisco IOS software table (below) describes a release
train and the platforms or products for which

PI space and colocation

[up]

Questions:

If one gets PI space from ARIN for their network, then moves the servers
to a rack at a data center (still using the space efficiently), will most
colocation providers announce this space for them, or would most providers
require them to take allocated space from them?

Is it a reasonable alternative to establish a BGP connection with the
provider over ethernet?

Is this ok per ARINs requirements, assuming you first acquired this space
under their multihomed network guidelines?

TIA,

James Smallacombe PlantageNet, Inc. CEO and Janitor
[EMAIL PROTECTED]   
http://3.am
=

Re: PI space and colocation

[Patrick W. Gilmore]

On Jan 18, 2006, at 2:41 PM, [EMAIL PROTECTED] wrote:

If one gets PI space from ARIN for their network, then moves the  
servers
to a rack at a data center (still using the space efficiently),  
will most
colocation providers announce this space for them, or would most  
providers

require them to take allocated space from them?


I don't know about most, but every one I've asked has done it.

You might need to sign an LOA.



Is it a reasonable alternative to establish a BGP connection with the
provider over ethernet?


It is technical feasible, but I don't think 'reasonable'.  Stub ASes  
are pollution on the 'Net.


But that doesn't stop some people.


Is this ok per ARINs requirements, assuming you first acquired this  
space

under their multihomed network guidelines?


That I do not know, but would guess no.  (I would also guess they  
won't notice. =)


Of course, if the space is /20 or more, you qualify under other rules  
too.


--
TTFN,
patrick

Re: PI space and colocation

[Jon Lewis]

On Wed, 18 Jan 2006, Patrick W. Gilmore wrote:


If one gets PI space from ARIN for their network, then moves the servers
to a rack at a data center (still using the space efficiently), will most
colocation providers announce this space for them, or would most providers
require them to take allocated space from them?


I don't know about most, but every one I've asked has done it.


We'd do it as long as everything looked legit (i.e. it really seems to be 
the customer's IP space).



Is it a reasonable alternative to establish a BGP connection with the
provider over ethernet?


It is technical feasible, but I don't think 'reasonable'.  Stub ASes are 
pollution on the 'Net.


We've done this as well.  Whats wrong with letting the customer use their 
ASN and BGP peering with them in your data center?  They might even get a 
connection to someone else there and multihome again.  Either way, the 
routes are getting into the global table...does the end of the aspath 
matter that much?


--
 Jon Lewis   |  I route
 Senior Network Engineer |  therefore you are
 Atlantic Net|
_ http://www.lewis.org/~jlewis/pgp for PGP public key_

Strange issue involving sampling

[Peering]

Title: Strange issue involving sampling






First, apologies if this isn't the right place, but I was hoping to hit a lot of networking folks in one shot and this seemed like the likely venue.

I have this problem where a customer of mine has issues getting to secure websites (https sites like Charles Schwab's). It doesn't happen all the time, maybe once a month or so. We went to Juniper with the issue (we're using M-20s as our edge routers) and they couldn't figure it out, but one of our engineers found that the config pasted below (with proprietary info removed) fixed the problem. The only problem is that even with this config, we have to restart the sampling daemon every month or so because the problem will come back. Understandably, the customer would prefer to have a more permanent solution.

Anyone have an idea why this one customer on my entire network would have this issue? Supposedly the customer had Cisco come out and look at their network and they couldn't find any reason for it either.

routerx# show | compare rollback 0 

[edit]

- forwarding-options {

- sampling {

- input {

- family inet {

- rate 1;

- }

- }

- output {

- file filename customer.sample;

- }

- }

- }

[edit firewall]

- filter customer {

- term 1 {

- then {

- sample;

- accept;

- }

- }

- term default {

- then accept;

- } 

- }


[edit interfaces ls-2/3/0 unit 3]

routerx# show 

description Customer X;

encapsulation multilink-ppp;

ml-pic-compatible;

family inet {

 no-redirects;

 filter {

 input customer;

 output customer;

 }

 address x.x.x.x/30;

}


Diane Turley

Sr. Network Engineer

Xspedius Communications Co.

636-625-7178

Re: PI space and colocation

[Patrick W. Gilmore]

On Jan 18, 2006, at 3:03 PM, Jon Lewis wrote:

Is it a reasonable alternative to establish a BGP connection with  
the

provider over ethernet?


It is technical feasible, but I don't think 'reasonable'.  Stub  
ASes are pollution on the 'Net.


We've done this as well.  Whats wrong with letting the customer use  
their ASN and BGP peering with them in your data center?  They  
might even get a connection to someone else there and multihome  
again.  Either way, the routes are getting into the global  
table...does the end of the aspath matter that much?


It adds zero useful data to the global table, but increases RAM, CPU,  
etc. on every router looking at the global table.


Given how vociferously people argue against items in the table which  
_do_ add useful data, superfluous info should be avoided whenever  
possible.  IMHO, of course.


--
TTFN,
patrick

RE: PI space and colocation

[Chris Ranch]

On Wednesday, January 18, 2006 12:10 PM, Pat wrote:
 On Jan 18, 2006, at 3:03 PM, Jon Lewis wrote:
 
  Is it a reasonable alternative to establish a BGP connection with 
  the provider over ethernet?
 
  It is technical feasible, but I don't think 'reasonable'.  
 Stub ASes 
  are pollution on the 'Net.
 
  We've done this as well.  Whats wrong with letting the customer use 
  their ASN and BGP peering with them in your data center?  
 They might 
  even get a connection to someone else there and multihome again.  
  Either way, the routes are getting into the global table...does the 
  end of the aspath matter that much?
 
 It adds zero useful data to the global table, but increases 
 RAM, CPU, etc. on every router looking at the global table.
 
 Given how vociferously people argue against items in the 
 table which _do_ add useful data, superfluous info should be 
 avoided whenever possible.  IMHO, of course.

In the past under these circumstances, if the customer still insists on
BGP after I strongly recommeded just a static DFG, I'd peer with the
customer with a private AS (64512-65535).  Then they usually ask me to
annouce a DFG to them.  Sometimes they'd want a full table.  Sigh.  

At least they'd have the future flexibility of adding another provider
without much change.  I've personally done that too.

Chris

Re: PI space and colocation

[Chris Adams]

Once upon a time, Patrick W. Gilmore [EMAIL PROTECTED] said:
 It adds zero useful data to the global table, but increases RAM, CPU,  
 etc. on every router looking at the global table.

How much difference is there between one AS (the colo provider)
announcing a prefix and another AS (the customer) announcing it through
the first AS (the colo provider)?  If the space is ARIN assigned PI, it
isn't going to aggregate with the colo provider's space, so the prefix
will still be a separate announcement.  The only difference is the AS
path is one entry longer.

-- 
Chris Adams [EMAIL PROTECTED]
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's enough trouble.

Re: Strange issue involving sampling

[Richard A Steenbergen]

On Wed, Jan 18, 2006 at 03:09:50PM -0500, Peering wrote:
 First, apologies if this isn't the right place, but I was hoping to hit
 a lot of networking folks in one shot and this seemed like the likely
 venue.

This sounds like a Juniper-specific issue, so the appropriate place is 
probably going to be http://puck.nether.net/juniper-nsp/.

 I have this problem where a customer of mine has issues getting to
 secure websites (https sites like Charles Schwab's).  It doesn't happen
 all the time, maybe once a month or so.  We went to Juniper with the
 issue (we're using M-20s as our edge routers) and they couldn't figure
 it out, but one of our engineers found that the config pasted below
 (with proprietary info removed) fixed the problem.  The only problem is
 that even with this config, we have to restart the sampling daemon every
 month or so because the problem will come back.  Understandably, the
 customer would prefer to have a more permanent solution.

You have to restart the sampling daemon to forward packets to SSL based 
websites? Wha? Are you sure you didn't accidentally install a Crackpipe 
Services PIC in that router? :)

 Anyone have an idea why this one customer on my entire network would
 have this issue?  Supposedly the customer had Cisco come out and look at
 their network and they couldn't find any reason for it either.
[snip]

Nothing in that config would cause or cure the problem you've described, 
unless the config it replaced was from destination-port 443; then 
reject;. I suspect your problem lies elsewhere, which is why Juniper and 
Cisco both said there were no problems. :)

But if there really is something going on with the Juniper, re-post this 
to juniper-nsp (with more details about the failure behavior) and I'm sure 
someone will give it their best shot to figure out what your problem is.

-- 
Richard A Steenbergen [EMAIL PROTECTED]   http://www.e-gerbil.net/ras
GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)

Re: PI space and colocation

[Patrick W. Gilmore]

On Jan 18, 2006, at 3:39 PM, Chris Ranch wrote:

In the past under these circumstances, if the customer still  
insists on

BGP after I strongly recommeded just a static DFG, I'd peer with the
customer with a private AS (64512-65535).  Then they usually ask me to
annouce a DFG to them.  Sometimes they'd want a full table.  Sigh.


If they are annoying, just let them use their own AS and make it a  
confederation.


You see it, they see it, the rest of the world doesn't.



At least they'd have the future flexibility of adding another provider
without much change.  I've personally done that too.


Easier if they're using their own ASN.

--
TTFN,
patrick

Re: PI space and colocation

[Patrick W. Gilmore]

On Jan 18, 2006, at 4:02 PM, Chris Adams wrote:


Once upon a time, Patrick W. Gilmore [EMAIL PROTECTED] said:

It adds zero useful data to the global table, but increases RAM, CPU,
etc. on every router looking at the global table.


How much difference is there between one AS (the colo provider)
announcing a prefix and another AS (the customer) announcing it  
through
the first AS (the colo provider)?  If the space is ARIN assigned  
PI, it

isn't going to aggregate with the colo provider's space, so the prefix
will still be a separate announcement.  The only difference is the AS
path is one entry longer.


Well, obviously, the path entry is longer. :)

It's not huge, but it is there.  And like I said, many people argue  
over additions to the table which are actually useful.


--
TTFN,
patrick

Re: PI space and colocation

[Michael Loftis]

--On January 18, 2006 5:21:35 PM -0500 Patrick W. Gilmore 
[EMAIL PROTECTED] wrote:



Well, obviously, the path entry is longer. :)


Yeah and if they (somehow) obtain an ASN for this non-multihoming venture 
then that completely wastes an ASN for no good.  And as we all know there 
aren't an infinite number of those either.




It's not huge, but it is there.  And like I said, many people argue  over
additions to the table which are actually useful.

--
TTFN,
patrick





--
Genius might be described as a supreme capacity for getting its possessors
into trouble of all kinds.
-- Samuel Butler

Re: PI space and colocation

[Stephen Sprunk]

Thus spake Chris Adams [EMAIL PROTECTED]

Once upon a time, Patrick W. Gilmore [EMAIL PROTECTED] said:

It adds zero useful data to the global table, but increases RAM, CPU,
etc. on every router looking at the global table.


How much difference is there between one AS (the colo provider)
announcing a prefix and another AS (the customer) announcing it through
the first AS (the colo provider)?  If the space is ARIN assigned PI, it
isn't going to aggregate with the colo provider's space, so the prefix
will still be a separate announcement.  The only difference is the AS
path is one entry longer.


Routing slots aren't the only resource you're consuming.  In general, many 
of the prefixes coming out of a given AS have common attributes, e.g. path, 
MEDs, etc.  Those attributes are stored only once (at least in the BGP 
implementation I know) even if they're used by hundreds of prefixes.  If you 
attach a new leaf AS, it must, by necessity, consume another one of those 
slots.  If the customer prefix were announced by the upstream, however, it 
would not require an additional attribute slot; it'd reuse one of the 
existing ones.


Now, I'm not aware that there's any serious shortage of attribute slots like 
there is routing slots, but there's no sense wasting them if there's no gain 
to be had doing it.  Save your (and everyone else's) RAM for more prefixes.


S

Stephen SprunkStupid people surround themselves with smart
CCIE #3723   people.  Smart people surround themselves with
K5SSS smart people who disagree with them.  --Aaron Sorkin 

Re: PI space and colocation

[Tony Li]

Routing slots aren't the only resource you're consuming.  In  
general, many of the prefixes coming out of a given AS have common  
attributes, e.g. path, MEDs, etc.  Those attributes are stored only  
once (at least in the BGP implementation I know) even if they're  
used by hundreds of prefixes.  If you attach a new leaf AS, it  
must, by necessity, consume another one of those slots.  If the  
customer prefix were announced by the upstream, however, it would  
not require an additional attribute slot; it'd reuse one of the  
existing ones.


Now, I'm not aware that there's any serious shortage of attribute  
slots like there is routing slots, but there's no sense wasting  
them if there's no gain to be had doing it.  Save your (and  
everyone else's) RAM for more prefixes.



I think that this deserves a bit more explanation...

Most implementations use an attribute cache.  An entry in this  
cache typically consists of a
set of different attributes.  Which attributes constitute a cache  
entry is entirely up to the
implementation.  Each prefix will have a number of paths.  Each path  
will point to an attribute cache entry and also contain one or more  
other uncached attributes.  Individual attributes themselves

may also be cached.

The primary attribute cache may or may not include the AS path.  If  
it does not, it is very likely
that there is a cache for the AS paths.  Again, this is all  
implementation dependent.


If an implementation does cache AS paths independently from the  
attribute cache, then the cost
of a stub AS is only one more AS path entry in the AS path cache.  If  
an implementation
does not cache AS paths independently, then creating a stub AS will  
create a new

attribute cache entry, complete with AS path.

Regardless of this, it should be noted that this is only using BGP  
table RAM.  This should not
affect the main routing table or the forwarding table.  Having an  
additional PI prefix in the
first place is the expensive part, as that does consume BGP RAM,  
routing table RAM and

forwarding table entries.

IMHO, wasting any resource is unfortunate, but the cost of additional  
forwarding table entries
far outstrips the cost of additional DRAM.  Thus, adding an  
additional prefix does merit
a significant shout from others, but the stub AS should only be an  
incremental whimper.


Regards,
Tony

Re: PI space and colocation

[Bill Woodcock]

i  On Wed, 18 Jan 2006 [EMAIL PROTECTED] wrote:
 If one gets PI space from ARIN for their network, then moves the servers
 to a rack at a data center (still using the space efficiently), will most
 colocation providers announce this space for them, or would most providers
 require them to take allocated space from them?

Most larger colo providers will do so happily, provided you have 
sufficient expertise to operate your own BGP router and make the 
announcement to them.

 Is it a reasonable alternative to establish a BGP connection with the
 provider over ethernet?

Yes.

 Is this ok per ARINs requirements, assuming you first acquired this space
 under their multihomed network guidelines?

It's okay regardless of the policy under which you received the space.

-Bill

Re: PI space and colocation

[Patrick W. Gilmore]

On Jan 18, 2006, at 6:22 PM, Tony Li wrote:

IMHO, wasting any resource is unfortunate, but the cost of  
additional forwarding table entries
far outstrips the cost of additional DRAM.  Thus, adding an  
additional prefix does merit
a significant shout from others, but the stub AS should only be an  
incremental whimper.


It's not just the amount of resources spent, it's what you get for them.

Spending a little on nothing is worse than spending more on something  
useful.


Personally, I think a prefix which gives routability info is useful.   
A Stub AS is just a waste.


--
TTFN,
patrick

P.S. This also means a /24 with the same AS path as the enclosing /16  
is also a waste - an even bigger one.

Re: Collateral Damage

[Scott McGrath]

1 Yes
2 No
3 No
4 No

-Original Message-

From:  Patrick W. Gilmore [EMAIL PROTECTED]
Subj:  Collateral Damage
Date:  Tue Jan 17, 2006 4:44 pm
Size:  2K
To:  [EMAIL PROTECTED]
cc:  Patrick W. Gilmore [EMAIL PROTECTED]


My previous post sparked quite a bit of traffic (mostly to me  
personally).  It also sparked some confusion.  That's mostly my fault  
for writing e-mails far too late at night and mixing it with an  
emotionally charged thread.

So I would like to separate my questions out of the GoDaddy thread,  
write them slightly differently, and give a little more scope for  
clarity.

These questions are designed as yes/no, not it depends.  The idea  
being if there are general circumstances (not billion-in-one corner  
cases) which would make the action in question acceptable, please  
answer yes, and move to the next question.

For instance, I would answer the first question as yes, because  
there are circumstances which happen reasonably often where I would  
take down an innocent domain to stop network abuse.  (E.g. I would  
null-route a /24 that is sending gigabits of DoS traffic, even if  
there is an innocent mail server in that block.)

Anyway, on to the poll.  You are welcome and encouraged to send the  
answers to me privately, I will collate and post back to the list in  
a few days.


* Please answer yes/no.
   - Additional text is encouraged, but I need a yes/no to tabulate  
the vote.
* These questions are not regarding a specific provider or even  
specific abuse type.
   - You can consider spam, DoS, phishing, hacking, etc.
   - Please assume what you consider to be the worst abuse which is  
common on the Internet today.
* There is a basic assumption that due diligence has been applied.
   - You have investigated and are certain this is not a false  
positive or such.
   - I hope we can all agree that shutting someone down without doing  
proper investigation is a Bad Thing.
* There is a basic assumption of notification and grace period.
   - The provider in question knows Bad Things are happening.
   - The provider in question has had a reasonable amount of time to  
fix said Bad Things.
   - Bad Things are still happening.
* Please do not consider extremely rare occurrences or utra-extreme  
scenarios.
   - Null-routing an IP address to stop nuclear war is not in scope  
of this survey.

If you have any questions, please feel free to e-mail me.


1) Do you think it is ever acceptable to cause collateral damage to  
innocent bystanders if it will stop network abuse?

2) If yes, do you still think it is ever acceptable to take down a  
provider with 100s of innocent customers because one customer is  
misbehaving?

3) If yes, do you still think it is ever acceptable if the  
misbehaving customer is not intentionally misbehaving - i.e.  
they've been hacked?

4) If yes, do you still think it is ever acceptable if the collateral  
damage (taking out 100s of innocent businesses) doesn't actually stop  
the spam run / DoS attack / etc.?


Thank you all for your time.

-- 
TTFN,
patrick

Re: Intradomain Traffic Engineering

[Hao Wang]

Hi Deepak,
 Thanks a lot for your opinions!
 Especially, your idea that TE may be more appropriate to stub networks is very interesting. Is it a common practice of large transit ISPs to determine the pricing based on 'what the customer's traffic looks like and when'? And do the transit ISPs actively use traffic regulation (rate control and/or traffic shaping) to control the incoming traffic, or they just simply use some pricing scheme based on traffic pattern, such as 95-percentile charging?


Thanks,
Hao

This email covers a lot of issues, perhaps it'll start a discussion.I think the question depends on how big a core you are talking about.
Excluding local effects (the operator of the network bounces a link orloses a router, etc), I doubt if you have a significantly large networkyou have many effects that shift traffic faster than 10s of seconds
(upperbound on this statement is ~30 seconds).For example, if you lose a BGP session, it may take more than 30seconds for the router to notice it. Once it realizes that its gone, itmay re-route traffic very rapidly. But it would still take a while (at
least a few seconds for a local link, more for a backbone link) beforethat traffic really renormalizes). This has more to do with TCP noticingpacket loss, backing off [only for the traffic that has been effected]
and starting back up. It takes up to half a second to *establish* asingle TCP session on an average latency link.So, the trick would be to discover the traffic has gone or gone wonkybefore the BGP session is dropped. This would allow your algorithm to
back off until a new /normal/ has been established.However, the talk of traffic engineering and maximum utilization alwayscome into vogue when folks want to squeeze more utilization out of theirnetworks without really spending more money. IMO, the best time to use
TE is when customer-links to your network approach your maximum corespeed [relative here... there is /core/ in your datacenter/pop and thereis /core/ that is your network to the point the packets get handed off
on average]. Often this limit on the operator's core is technologyimposed (though budgetary concerns get in there too).I think the technology doesn't really exist at a scalable level tooperate for the worst-case scenario, despite what some people may say.
Our traffic measurement/link measurement tools are almost all average...and spot checks are of only marginal value. I would suggest that thisis because of the nature of TCP. If the Internet were UDP based, there
would be a *lot* more flash traffic problems. So, for those who have ahigh amount of UDP traffic (media streamers, DNS hosts, etc) would havea very different experience.I'm not the first person to say it, and I can't remember the first place
I heard it... but I'd suggest that the core is not where TE has the bestbenefits. Cores by their nature need to be overengineered. You havevery little flexibility because the demands on them are wide [they need
to handle UDP and TCP, low latency and high latency acceptableapplications with aplomb].TE belongs to the Customer or non-backbone operating ISP. If one were tostart an ISP where all residential customer connections were 1Gb/s I
could conceivably have thousands of customers operating without needing200Gb/s of uplink [assuming that were really feasible for a network withvery little traffic terminating on the network]. By using TE I could
shape my peak traffic needs (MLU) to approach my average. This wouldmake me a much more desirable customer to sell transit to.TE, MLU, and other concerns while most well understood bycore-operators, aren't by customers. Core operators may eventually need
to push these concerns to customers if backbone link speeds do not stayfar above end-user connection speeds. [on an ICB basis, they are --whenever you want to buy a few OC-48s in a single POP or an OC-192customer connection, someone is always going to ask you what your
traffic looks like and when]. This would be easiest to push over byproviding differential pricing. Enforcement and Analysis of *what* is adesirable traffic pattern and what financial value that provides is
where we are largely lacking today. Since a customer knows their trafficand their needs better than a core operator, they would be much betterat enforcing traffic flows/engineering. This is better than a core that
optimizes for its own link utilization instead one that just tries tostay as empty as possible for as long as possible.This is way early in the day for me, so this may not make any sense.YMMV,
Deepak JainAiNET

Security inside AS

[Glen Kent]

Hi,

I understand that in theory we need to protect our IGPs from all sorts
of attacks.

But do we really have service providers who enable authentication
(MD5, etc) inside their ASes for their IGPs (OSPF/IS-IS)?

Thanks,
Glen