Annoucing supernets in BGP?
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, just a formal question: Is it good/best practice for Swisscom to announce 80/5 into BGP ? (which covers our assignment 81.16.176.0/20 and many others) More-specific wins, sure.. but we had some troubles yesterday, so just a question to ask.. If it's the wrong ML, sorry, happy to get redirected.. - -- Mit freundlichen Grüssen Michael Markstaller Elaborated Networks GmbH www.elabnet.de Lise-Meitner-Str. 1, D-85662 Hohenbrunn, Germany fon: +49-8102-8951-60, fax: +49-8102-8951-80 Geschäftsführer: Stefan Werner, Michael Markstaller Amtsgericht München HRB 125120, Ust-ID: DE201281054 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iEYEARECAAYFAlBPVDAACgkQaWRHV2kMuAL0FACeOV3dX6Z20RWMCiaNfBWLdpNG XD0An0HOlBRg8JrHIIrlCMcgfq0XmJuL =sRoe -----END PGP SIGNATURE-----
Are your trobules traceable to the covering announcement? More specifics should always win, period. Regardless even of BGP attributes, so I'm curious if your issues are traceable to the /5. regards, ~Carlos On 9/11/12 12:09 PM, Michael Markstaller wrote:
Hi,
just a formal question: Is it good/best practice for Swisscom to announce 80/5 into BGP ? (which covers our assignment 81.16.176.0/20 and many others)
More-specific wins, sure.. but we had some troubles yesterday, so just a question to ask..
If it's the wrong ML, sorry, happy to get redirected..
hi, On Tue, Sep 11, 2012 at 12:23:15PM -0300, Carlos M. martinez wrote:
Are your trobules traceable to the covering announcement? More specifics should always win, period. Regardless even of BGP attributes, so I'm curious if your issues are traceable to the /5.
That's sort of missing the point. Do not announce what you have no authority over. And filter your downstream customers, using a mechanism that is based on strong authentication. Gert Doering -- NetMaster -- have you enabled IPv6 on something today...? SpaceNet AG Vorstand: Sebastian v. Bomhard Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (89) 32356-444 USt-IdNr.: DE813185279
I get the point and I basically agree, but anyways, I'm still curious about what network dynamics might be at play here that make the covering announcement a source of problems. My question is strictly technical, I don't want to delve into the 'policy/authority' part of it (at this time at least :-) ) regards Carlos On 9/11/12 12:39 PM, Gert Doering wrote:
hi,
On Tue, Sep 11, 2012 at 12:23:15PM -0300, Carlos M. martinez wrote:
Are your trobules traceable to the covering announcement? More specifics should always win, period. Regardless even of BGP attributes, so I'm curious if your issues are traceable to the /5.
That's sort of missing the point. Do not announce what you have no authority over.
And filter your downstream customers, using a mechanism that is based on strong authentication.
Gert Doering -- NetMaster
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 11.09.2012 17:23, Carlos M. martinez wrote:
Are your trobules traceable to the covering announcement? No, it's just a thought and I asked because RIPE warns me about - and I think it's fully wrong for any ISP to be able to announce something he doesnt own !?
More specifics should always win, period. Regardless even of BGP attributes, so I'm curious if your issues are traceable to the /5. Theoretically: right. Practically: we lost yesterday somehow against Swisscom..
P.S.: My question is not(!) how to resolve this specific issue but rather how to prevent such extremely big misuse.. I attendended the RIPE-Trainings on RIR etc., keep my records up2date but noone else @T1/2 does (?) Michael -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iEYEARECAAYFAlBPcyYACgkQaWRHV2kMuAKIhwCg1Y+JfqKsUaTedogKwGFbqHRU NxAAoNuJJE1hatICUgFeQy/OPhfoP+JH =RUIG -----END PGP SIGNATURE-----
2012/9/11 Michael Markstaller <mm@elabnet.de>:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 11.09.2012 17:23, Carlos M. martinez wrote:
Are your trobules traceable to the covering announcement? No, it's just a thought and I asked because RIPE warns me about - and I think it's fully wrong for any ISP to be able to announce something he doesnt own !?
More specifics should always win, period. Regardless even of BGP attributes, so I'm curious if your issues are traceable to the /5. Theoretically: right. Practically: we lost yesterday somehow against Swisscom..
P.S.: My question is not(!) how to resolve this specific issue but rather how to prevent such extremely big misuse.. I attendended the RIPE-Trainings on RIR etc., keep my records up2date but noone else @T1/2 does (?)
Michael -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/
iEYEARECAAYFAlBPcyYACgkQaWRHV2kMuAKIhwCg1Y+JfqKsUaTedogKwGFbqHRU NxAAoNuJJE1hatICUgFeQy/OPhfoP+JH =RUIG -----END PGP SIGNATURE-----
I see three ways: 1) RPKI 2) RPKI 3) RPKI Sometimes such things happen and 99.9% of such issues are about mistakes (bad software, mistypings, no ip classless :) etc). The only way of securing ourselves from such situations is definitely building filters based on RIPE database AND TRUSTING RPKI. And signing your resources (LIR) as well :) -- ~~~ WBR, Vitaliy Turovets Systems Administrator Corebug.Net +38(093)265-70-55 VITU-RIPE X-NCC-RegID: ua.tv
Hi, On Tue, Sep 11, 2012 at 05:09:36PM +0200, Michael Markstaller wrote:
just a formal question: Is it good/best practice for Swisscom to announce 80/5 into BGP ?
Definitely not... Strengthening the case for RPKI and origin verification. Gert Doering -- NetMaster -- have you enabled IPv6 on something today...? SpaceNet AG Vorstand: Sebastian v. Bomhard Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (89) 32356-444 USt-IdNr.: DE813185279
I guess this comes from 80/5 being visible in RIS. It is worth pointing out that RIS sees this only from one single peer in Geneva and nowhere else. This means that the route is certainly not widespread according to RIS. It may very well be that this is leakage in one way or another. RIS does not filter of course but dutifully records what it gets. But a "route visible in RIS" always needs to be qualified by the number of peers and route collectors that sees it. If our tools should give warnings for 80/5 that is a matter of tweaking the thresholds. Daniel On 11.09.2012, at 17:09 , Michael Markstaller wrote:
Hi,
just a formal question: Is it good/best practice for Swisscom to announce 80/5 into BGP ? (which covers our assignment 81.16.176.0/20 and many others)
More-specific wins, sure.. but we had some troubles yesterday, so just a question to ask..
If it's the wrong ML, sorry, happy to get redirected..
- -- Mit freundlichen Grьssen
Michael Markstaller
Elaborated Networks GmbH www.elabnet.de Lise-Meitner-Str. 1, D-85662 Hohenbrunn, Germany fon: +49-8102-8951-60, fax: +49-8102-8951-80 Geschдftsfьhrer: Stefan Werner, Michael Markstaller Amtsgericht Mьnchen HRB 125120, Ust-ID: DE201281054
* Michael Markstaller:
Is it good/best practice for Swisscom to announce 80/5 into BGP ?
IIRC, Swisscom does this so that its customers can use routers which are not capable of processing the original DFZ, and still have some redundancy. The advertisements should not leak to the general Internet. If the prefixes end up in RIS, this could come from leakage by a Swisscom customer (and another upstream which doesn't filter properly), or a misconfigured BGP peering for the RIS data feed.
On 12.09.2012, at 22:46 , Florian Weimer wrote:
... If the prefixes end up in RIS, this could come from leakage by a Swisscom customer (and another upstream which doesn't filter properly), or a misconfigured BGP peering for the RIS data feed.
Looks like AS35054 is to blame: https://stat.ripe.net/widget/looking-glass#w%5Bresource%5D=80/5 : IIRC we talked to them ages ago and it was difficult for them to give RIS another view in Geneva. But my recollection may be wrong ... Daniel
The advertisements should not leak to the general Internet.
that X should not leak, for many values of X not just bgp, has been long shown to be wishful thinking. randy
Florian Weimer wrote:
* Michael Markstaller:
Is it good/best practice for Swisscom to announce 80/5 into BGP ?
IIRC, Swisscom does this so that its customers can use routers which are not capable of processing the original DFZ, and still have some redundancy. The advertisements should not leak to the general Internet.
...whatever the merits of such a setup may be, imho at least minimal precautions SHOULD be applied, e.g. attaching a "no-export" tag?
If the prefixes end up in RIS, this could come from leakage by a Swisscom customer (and another upstream which doesn't filter properly), or a misconfigured BGP peering for the RIS data feed.
Wilfried
participants (8)
-
Carlos M. martinez -
Daniel Karrenberg -
Florian Weimer -
Gert Doering -
Michael Markstaller -
Randy Bush -
Wilfried Woeber -
Виталий Туровец