Re: Verizon 701 Route leak?
> Good use-case for > https://datatracker.ietf.org/doc/draft-ietf-grow-bmp-adj-rib-out and > snapshot auditing before and after changes. Leak didn't last long but > it could have been caught within milliseconds verses minutes via oh > sh** alarms. [ i happen to like bmp, but ... ] if the sender did not have the automation or the mops to not leak in the first place, how well will they apply post hoc detection and repair? if the receiver did not filter, and an tier-1 as-path filter would have sufficed in this case, how well do you think they will be at applying post hoc detection and repair? this was an easily preventable ops failure. but what we will do is go to idr and grow and invent 42 more hacks, kinda like ipv6 transition mechanisms. randy
Re: Verizon 701 Route leak?
>> Damn you Google.. yup. Thanks for links. > A public post-mortem would be highly appreciated (from all parties). there has been more press hysteria on this than actual packet droppage. goog fat fingered or otherwise misannounced a numer of large consumer isp's prefixes. the leak was for aybe 20 minutes. almost no one over here noticed. but the press, isoc, ... said "japan knocked off the internet." take that as a calibration of the press, isoc, ... randy
Re: Hurricane Harvey - Network Status (FCC)
Tegna, ownership group of KHOU, had a news report that the news studio for KHOU was setup at a "PBS station in Dallas", with satellite uplink to KUSA (Denver). Master Control is running at KUSA Denver for KHOU service area, with satellite back to the transmitter for KHOU. According to the FCC filing, the transmitter is located SW of Houston near Fresno, TX at 29deg 33min 40secN 95deg 30min 4sec W Google Maps does show a tower there. On 08/28/2017 10:51 AM, Jean-Francois Mezei wrote: On 2017-08-27 20:58, Tim Jackson wrote: KHOU's local transmitter (Missouri City I think is where it's at) seems to be back on the air, but with all production from WFAA out of Dallas. KHOU had a tweet with video showing the water flooding into their offices/studios and staff having to leave. https://twitter.com/sallykhou11/status/901805513905668096 I guess this is where disaster tolerance/recovery plans really kick in. -- --- Timothy Sesow tse...@osstorage.com Cell: 303-803-3506 Main Support Number 800-570-3624 Open Source Storage, Inc. 7950 S. Lincoln Street Unit B104 Littleton, Colorado 80122
Max Prefix Out, was Re: Verizon 701 Route leak?
I agree a max-prefix outbound could potentially be useful and would hopefully not be too terribly difficult to implement for most vendors. Perhaps RFC4486 would need to be updated to reflect this as a possibility as well? On Mon, Aug 28, 2017 at 5:41 PM, Julien Goodwinwrote: > On 28/08/17 18:34, Job Snijders wrote: >> Finally, it may be worthwhile exploring if we can standardize and >> promote maximum prefix limits applied on the the _sending_ side. This >> way you protect your neighbor (and the Internet at large) by >> self-destructing when you inadvertently announce more than what you'd >> expect to announce. BIRD has this functionality >> http://bird.network.cz/?get_doc=bird-3.html#proto-export-limit >> however I am not aware of other implementations. Feedback welcome! > > Having just dug up the reference for some strange reason... > > Back at NANOG38 (2006) Tom Scholl mentioned in a talk on max prefix: > "Perhaps maximum-prefix outbound? > (Suggested by Eric Bell years ago)" > https://www.nanog.org/meetings/nanog38/presentations/scholl-maxpfx.pdf > > Notably Juniper does now have prefix-export-limit, but only for > readvertisement into IS-IS or OSPF: > https://www.juniper.net/documentation/en_US/junos/topics/reference/configuration-statement/prefix-export-limit-edit-protocols-isis.html -- [stillwa...@gmail.com ~]$ cat .signature cat: .signature: No such file or directory [stillwa...@gmail.com ~]$
Re: Cogent BCP-38
> Well, if you are using public IP addresses for infra you are violating your > RIR’s policy more than likely. [Citation needed.] :) Rob
RE: Verizon 701 Route leak?
On Mon, 28 Aug 2017, Marcus Josephson wrote: Damn you Google.. yup. Thanks for links. A public post-mortem would be highly appreciated (from all parties). -- Mikael Abrahamssonemail: swm...@swm.pp.se
Re: Cogent BCP-38
On Tue, Aug 29, 2017 at 08:41:12AM -0400, Robert Blayzor wrote: > > On 29 August 2017 at 03:38, Robert Blayzorwrote: > > > >> Well not completely useless. BCP will still drop BOGONs at the edge > >> before they leak into your network. > > > > Assuming you don't use them in your own infra. And cost of RPF is lot > > higher than cost of ACL. Them being entirely static entities they > > should be in your edgeACL. The only real justification for loose RPF > > is source based blackholing. > > Well, if you are using public IP addresses for infra you are violating > your RIR’s policy more than likely. There may be some miscommunication here or confusion on terminology used. But for instance using public, globally unique addresses for your router's loopback addresses, or router-to-router linknets is fine and not a violation. > And if you’re using RFC1918 space in your global routing table, then > thats another fiasco you’ll have to deal with. Then don't do that! :) > Managing ACL’s for customer routes has far more overhead (and cost, > ie: time, human error, etc) than to just use RPF on an edge port. I > believe the OP was talking about multi-homed, in that case if run a > tight ship in your network RPF loose is probably a good choice. It at > least gives you an easy way to not accept total trash at the edge. I am not sure what "RPF loose" offers that can't be done with a static general purpose edge ACL can't offer to protect your infrastructure and deny obvious bogons. Kind regards, Job
Re: Cogent BCP-38
> On 29 August 2017 at 03:38, Robert Blayzorwrote: > >> Well not completely useless. BCP will still drop BOGONs at the edge before >> they leak into your network. > > Assuming you don't use them in your own infra. And cost of RPF is lot > higher than cost of ACL. Them being entirely static entities they > should be in your edgeACL. The only real justification for loose RPF > is source based blackholing. > > -- > ++ytti Well, if you are using public IP addresses for infra you are violating your RIR’s policy more than likely. And if you’re using RFC1918 space in your global routing table, then thats another fiasco you’ll have to deal with. Managing ACL’s for customer routes has far more overhead (and cost, ie: time, human error, etc) than to just use RPF on an edge port. I believe the OP was talking about multi-homed, in that case if run a tight ship in your network RPF loose is probably a good choice. It at least gives you an easy way to not accept total trash at the edge. -- inoc.net!rblayzor XMPP: rblayzor.AT.inoc.net PGP: https://inoc.net/~rblayzor/
Re: Cogent BCP-38
On 29 August 2017 at 03:38, Robert Blayzorwrote: > Well not completely useless. BCP will still drop BOGONs at the edge before > they leak into your network. Assuming you don't use them in your own infra. And cost of RPF is lot higher than cost of ACL. Them being entirely static entities they should be in your edgeACL. The only real justification for loose RPF is source based blackholing. -- ++ytti