Hi Ado, On 11/10/15 18:21, Ado Maja wrote:
It was by mistake that I send an example where BGP messages are not coming from the same peer. All four messages in the example were supposed to have same peer, and announced IP address while different AS-PATH attribute. In that case I would have three implicit withdrawals, right?
Yes, if all four messages were the same prefix and same peer, then you would have three (or four) implicit withdrawals.
Are you suggesting that if I look at five-days worth of BGP update messages and trying to count how many implicit withdrawals during that time I have that I need to check first appearance of every announced IP address and check if it is ‘truly’ new announcement or possibly an implicit withdrawal that happened prior to the time frame I am looking at?
Yes exactly, if you want to be accurate in your count. That is what the RIB dumps (the bview) files help you with. They give you a snapshot at a time, for you to base your update analysis on. Otherwise you'd need to search through previous update files looking for either an earlier update message for the same {peer,prefix}, or a peer session reset.
Also, I was completely ignoring the state change messages. Are you referring to the messages below? I am not sure what to make out of those.
Yes those are the state change messages. They indicate a transition in the BGP Finite State Machine for a BGP speaker (see RFC4271, section 8) For the most part, you can ignore all of them except for transitions to/from state 6 (Established). If a peer session goes in or out of state 6, then a new session has been established or torn down, and any data you were considering about that peer should be reset too. If the session resets, whenever it comes back up, it is likely that the peer will re-announce the prefixes it had in its RIB before the reset. This is the initial startup phase. So when the peer sends you an announce for a prefix after a state change, the first announcement is *not* an implicit withdrawal. But any further messages after that (with the same {peer,prefix}) are implicit withdrawals. Until the next time the state changes. Hope this makes sense. Cheers Colin -- Colin Petrie Systems Engineer RIPE NCC