Re: Looking for VPS providers with BGP session

[Alexis Rosen]

On Dec 7, 2015, at 7:40 AM, Philippe Bonvin via NANOG <nanog@nanog.org> wrote:
> Hello,
> 
> I'm looking for providers around the world who are able to provide VPS with a 
> BGP session but it seems to be rather difficult to find. I have already found 
> a few with WHT/bgp.he.net/google but a little help would be appreciated.
> 
> Does anyone have contact or know people who can offer such services ?
> 
> If yes, please contact me off list.
> [...]

I am apparently 2 weeks behind on reading nanog, and haven't posted here in 
probably 17-18 years. We offer that service.

Philippe found us last week, so thanks to whoever pointed him our way...

/a

Re: Looking for VPS providers with BGP session

[Felipe Zanchet Grazziotin]

Hi,

you might find useful to see Nat Morris's presentation on "Anycast on a
shoe string".
He lists several VPS providers that do BGP for his project.

Here is one link:
http://www.slideshare.net/natmorris/anycast-on-a-shoe-string

Regards,
Felipe


On 7 December 2015 at 12:40, Philippe Bonvin via NANOG <nanog@nanog.org>
wrote:

> Hello,
>
>
> I'm looking for providers around the world who are able to provide VPS
> with a BGP session but it seems to be rather difficult to find. I have
> already found a few with WHT/bgp.he.net/google but a little help would be
> appreciated.
>
>
> Does anyone have contact or know people who can offer such services ?
>
> If yes, please contact me off list.
>
>
> Our budget is quite low: around 50$/month/node +/- 50$ depending the
> transit providers for a server with 1-2 CPU cores, 20 Go SSD or SAS and 1-2
> Go RAM.
>
>
> I'll be happy to share my provider list we use with anyone who needs it.
>
>
> Thanks for your help,
>
> Philippe
>
> [EDSI-Tech Sarl]<http://www.edsi-tech.com>
> Philippe Bonvin, Directeur
> EDSI-Tech S?rl<http://www.edsi-tech.com>
> EPFL Innovation Park, Batiment C, 1015 Lausanne, Suisse | T?l?phone: +41
> (0) 21 566 14 15
> Savoie Technolac, 17 Avenue du Lac L?man, 73375 Le Bourget-du-Lac, France
> | T?l?phone: +33 (0)4 86 15 44 78
>

Re: Looking for VPS providers with BGP session

[Yang Yu]

On Tue, Dec 8, 2015 at 8:52 PM, Yucong Sun  wrote:
> I recommend http://www.quadranet.com/ ! I have been a happy customer
> for almost two years,
>
> I have a single dedicated server over there,  running full BGP feed
> with them, It's a fairly extensive setup with multiple sessions,
> automatic null routing and all the communities tinkering! Their NOC is
> very friendly and very easy to work with!
>

I would avoid QuadraNet for VPS services. They refused to give me a
/48 (not even another /64). And it took a shout on WHT for them to
respond to my tickets opened months ago.


Yang

Re: Looking for VPS providers with BGP session

[Jared Mauch]

You may want to look at this presenation from Nat Morris:

http://www.slideshare.net/natmorris/anycast-on-a-shoe-string

- Jared

On Tue, Dec 08, 2015 at 06:31:58AM -0500, Dovid Bender wrote:
> I am looking for this as well. I am OK with 1 CPU core since all I need is
> a default route.
> 
> On Mon, Dec 7, 2015 at 7:40 AM, Philippe Bonvin via NANOG <nanog@nanog.org>
> wrote:
> 
> > Hello,
> >
> >
> > I'm looking for providers around the world who are able to provide VPS
> > with a BGP session but it seems to be rather difficult to find. I have
> > already found a few with WHT/bgp.he.net/google but a little help would be
> > appreciated.
> >
> >
> > Does anyone have contact or know people who can offer such services ?
> >
> > If yes, please contact me off list.
> >
> >
> > Our budget is quite low: around 50$/month/node +/- 50$ depending the
> > transit providers for a server with 1-2 CPU cores, 20 Go SSD or SAS and 1-2
> > Go RAM.
> >
> >
> > I'll be happy to share my provider list we use with anyone who needs it.
> >
> >
> > Thanks for your help,
> >
> > Philippe
> >
> > [EDSI-Tech Sarl]<http://www.edsi-tech.com>
> > Philippe Bonvin, Directeur
> > EDSI-Tech S?rl<http://www.edsi-tech.com>
> > EPFL Innovation Park, Batiment C, 1015 Lausanne, Suisse | T?l?phone: +41
> > (0) 21 566 14 15
> > Savoie Technolac, 17 Avenue du Lac L?man, 73375 Le Bourget-du-Lac, France
> > | T?l?phone: +33 (0)4 86 15 44 78
> >

-- 
Jared Mauch  | pgp key available via finger from ja...@puck.nether.net
clue++;  | http://puck.nether.net/~jared/  My statements are only mine.

Re: Looking for VPS providers with BGP session

[Dovid Bender]

I am looking for this as well. I am OK with 1 CPU core since all I need is
a default route.

On Mon, Dec 7, 2015 at 7:40 AM, Philippe Bonvin via NANOG <nanog@nanog.org>
wrote:

> Hello,
>
>
> I'm looking for providers around the world who are able to provide VPS
> with a BGP session but it seems to be rather difficult to find. I have
> already found a few with WHT/bgp.he.net/google but a little help would be
> appreciated.
>
>
> Does anyone have contact or know people who can offer such services ?
>
> If yes, please contact me off list.
>
>
> Our budget is quite low: around 50$/month/node +/- 50$ depending the
> transit providers for a server with 1-2 CPU cores, 20 Go SSD or SAS and 1-2
> Go RAM.
>
>
> I'll be happy to share my provider list we use with anyone who needs it.
>
>
> Thanks for your help,
>
> Philippe
>
> [EDSI-Tech Sarl]<http://www.edsi-tech.com>
> Philippe Bonvin, Directeur
> EDSI-Tech S?rl<http://www.edsi-tech.com>
> EPFL Innovation Park, Batiment C, 1015 Lausanne, Suisse | T?l?phone: +41
> (0) 21 566 14 15
> Savoie Technolac, 17 Avenue du Lac L?man, 73375 Le Bourget-du-Lac, France
> | T?l?phone: +33 (0)4 86 15 44 78
>

Re: Looking for VPS providers with BGP session

[Yucong Sun]

I recommend http://www.quadranet.com/ ! I have been a happy customer
for almost two years,

I have a single dedicated server over there,  running full BGP feed
with them, It's a fairly extensive setup with multiple sessions,
automatic null routing and all the communities tinkering! Their NOC is
very friendly and very easy to work with!

On Mon, Dec 7, 2015 at 8:40 PM, Philippe Bonvin via NANOG
<nanog@nanog.org> wrote:
> Hello,
>
>
> I'm looking for providers around the world who are able to provide VPS with a 
> BGP session but it seems to be rather difficult to find. I have already found 
> a few with WHT/bgp.he.net/google but a little help would be appreciated.
>
>
> Does anyone have contact or know people who can offer such services ?
>
> If yes, please contact me off list.
>
>
> Our budget is quite low: around 50$/month/node +/- 50$ depending the transit 
> providers for a server with 1-2 CPU cores, 20 Go SSD or SAS and 1-2 Go RAM.
>
>
> I'll be happy to share my provider list we use with anyone who needs it.
>
>
> Thanks for your help,
>
> Philippe
>
> [EDSI-Tech Sarl]<http://www.edsi-tech.com>
> Philippe Bonvin, Directeur
> EDSI-Tech S?rl<http://www.edsi-tech.com>
> EPFL Innovation Park, Batiment C, 1015 Lausanne, Suisse | T?l?phone: +41 (0) 
> 21 566 14 15
> Savoie Technolac, 17 Avenue du Lac L?man, 73375 Le Bourget-du-Lac, France | 
> T?l?phone: +33 (0)4 86 15 44 78

Looking for VPS providers with BGP session

[Philippe Bonvin via NANOG]

Hello,


I'm looking for providers around the world who are able to provide VPS with a 
BGP session but it seems to be rather difficult to find. I have already found a 
few with WHT/bgp.he.net/google but a little help would be appreciated.


Does anyone have contact or know people who can offer such services ?

If yes, please contact me off list.


Our budget is quite low: around 50$/month/node +/- 50$ depending the transit 
providers for a server with 1-2 CPU cores, 20 Go SSD or SAS and 1-2 Go RAM.


I'll be happy to share my provider list we use with anyone who needs it.


Thanks for your help,

Philippe

[EDSI-Tech Sarl]<http://www.edsi-tech.com>
Philippe Bonvin, Directeur
EDSI-Tech S?rl<http://www.edsi-tech.com>
EPFL Innovation Park, Batiment C, 1015 Lausanne, Suisse | T?l?phone: +41 (0) 21 
566 14 15
Savoie Technolac, 17 Avenue du Lac L?man, 73375 Le Bourget-du-Lac, France | 
T?l?phone: +33 (0)4 86 15 44 78

Re: IX Peering - BGP Session Filtering Best Practice

[Paul WALL]

You might want to check out Console by IIX (www.iix.net).

They are re-shaping peering automation with SDN.

Drive Slow,
Paul WALL

On 9/21/15, Erik Sundberg  wrote:
> Just wondering how far everyone is going on filtering BGP sessions when
> peering with other content providers and carriers over an internet
> exchange.
>
> What are you doing.
>
> 1.  Just filtering out IPv4 Reserved Space, RFC 1918, and Default
> Routes.
>
>
> 2.  AS Path Filtering. Only filtering by the AS's that are present in
> the IRR Record.
>
>
>
> 3.  Filtering by IP Prefix based on the IRR Record for the Peer. (Yes
> some Prefix Filter list can be a couple thousand lines)
>
>
>
> 4.  Doing both #3 and 4 listed above.
>
>
>
>
>
>
> Besides Peering DB is there any software to help keep track of IX and
> Peering info. So far I have only found IXP-MANGER
>
> 
>
> CONFIDENTIALITY NOTICE: This e-mail transmission, and any documents, files
> or previous e-mail messages attached to it may contain confidential
> information that is legally privileged. If you are not the intended
> recipient, or a person responsible for delivering it to the intended
> recipient, you are hereby notified that any disclosure, copying,
> distribution or use of any of the information contained in or attached to
> this transmission is STRICTLY PROHIBITED. If you have received this
> transmission in error please notify the sender immediately by replying to
> this e-mail. You must destroy the original transmission and its attachments
> without reading or saving in any manner. Thank you.
>

IX Peering - BGP Session Filtering Best Practice

[Erik Sundberg]

Just wondering how far everyone is going on filtering BGP sessions when peering 
with other content providers and carriers over an internet exchange.

What are you doing.

1.  Just filtering out IPv4 Reserved Space, RFC 1918, and Default Routes.


2.  AS Path Filtering. Only filtering by the AS's that are present in the 
IRR Record.



3.  Filtering by IP Prefix based on the IRR Record for the Peer. (Yes some 
Prefix Filter list can be a couple thousand lines)



4.  Doing both #3 and 4 listed above.






Besides Peering DB is there any software to help keep track of IX and Peering 
info. So far I have only found IXP-MANGER



CONFIDENTIALITY NOTICE: This e-mail transmission, and any documents, files or 
previous e-mail messages attached to it may contain confidential information 
that is legally privileged. If you are not the intended recipient, or a person 
responsible for delivering it to the intended recipient, you are hereby 
notified that any disclosure, copying, distribution or use of any of the 
information contained in or attached to this transmission is STRICTLY 
PROHIBITED. If you have received this transmission in error please notify the 
sender immediately by replying to this e-mail. You must destroy the original 
transmission and its attachments without reading or saving in any manner. Thank 
you.

Re: VPS + BGP session

[William Herrin]

On Thu, Jun 4, 2015 at 1:53 PM, Sadiq Saif li...@sadiqs.com wrote:
 I am looking for providers that can provide me a VPS with a BGP session
 so I can announce my PI IP space (v4 + v6). I have looked at other
 threads on NANOG regarding this and already have sessions up with ARP
 Networks, Mythic Beasts, and Knightswarm. Host Virtual is unfortunately
 out of my budget.

Hi Sadiq,

I assume you found this:

http://mailman.nanog.org/pipermail/nanog/2015-February/073592.html

Regards,
Bill Herrin



-- 
William Herrin  her...@dirtside.com  b...@herrin.us
Owner, Dirtside Systems . Web: http://www.dirtside.com/

VPS + BGP session

[Sadiq Saif]

Hi,

I am looking for providers that can provide me a VPS with a BGP session
so I can announce my PI IP space (v4 + v6). I have looked at other
threads on NANOG regarding this and already have sessions up with ARP
Networks, Mythic Beasts, and Knightswarm. Host Virtual is unfortunately
out of my budget.

I am looking for providers in the east coast USA and Asia Pacific
regions at this time.

Any pointers are appreciated!

-- 
Sadiq Saif (AS393949)
https://staticsafe.ca

Re: Best practice for BGP session/ full routes for customer

[Mark Tinka]

On Thursday, July 17, 2014 12:24:45 PM Nick Hilliard wrote:

 there are other drawbacks too: the difference in
 convergence time between  24k prefixes  and a full dfz
 is usually going to be large although I haven't tested
 this on an me3600x yet.

Not having to install the routes into FIB (even on software-
based platforms) makes a ton of difference.

Our testing when using this feature on the ME3600X has 
shown:

1. The switch will download a full copy of the IPv6
   table of 18,282 entries in 1 second. This is from
   2x local route reflectors, so no latency.

2. The switch will download a full copy of the IPv4
   table of 499,437 entries in 3 minutes, 10
   seconds. This is from 2x local route reflectors,
   so no latency.

The IPv4 convergence was consuming between 12% - 30% CPU 
utilization during the table download. This was on the IPv4 
table, given its size. The IPv6 didn't bother the switch in 
any way.

The CPU on the ME3600X is a little slow; we've seen far 
better IPv4 BGP table download times on meatier CPU's, and 
the CSR1000v, which runs on servers that kick typical router 
CPU's into the stone age.

 Also these boxes only have 1G
 of memory might be a bit tight as the dfz increases. 
 For sure, it's already not enough on a bunch of other
 vanilla ios platforms.

Total memory utilized (for 2x full BGPv4 and BGPv6 feeds, 
and after IOS deducts system memory for itself) came to 
370MB.

That left 424MB of memory free.

Code is 15.4(2)S.

Cheers,

Mark.


signature.asc
Description: This is a digitally signed message part.

Re: BGP Session

[Abuse Contact]

Hi,
Yeah, I need to turn on and off overtime, but I'm getting my own ASN very
soon so that shouldn't be a problem soon! :)
but how would I go about turning off a location at a certain time?


Thanks!


On Wed, Jul 16, 2014 at 5:50 PM, Jonathan Lassoff j...@thejof.com wrote:

 Wow -- be careful playing with public eBGP sessions unless you know
 what you're doing. It can affect the entire Internet.

 Since you're just connecting to a single upstream ISP, you wont
 qualify for a public AS number. So, you'll have to work with your
 upstream ISP to agree on a private AS number you can use.
 You will be setting up an eBGP session (which is a session between two
 different AS numbers, as opposed to iBGP, wherein the AS numbers are
 the same).

 As for running BGP on a dedicated server, it'll depend on the OS in
 use. Assuming Linux, take a look at Quagga, BIRD, and ExaBGP.
 http://www.nongnu.org/quagga/
 http://bird.network.cz/
 https://code.google.com/p/exabgp/


 It may be a *lot* easier for you to just have your upstream ISP
 announce your IP space, and route it to your dedicated server, unless
 you need the ability to turn it off and on over time.

 Cheers,
 jof

 On Wed, Jul 16, 2014 at 1:05 AM, Abuse Contact
 stopabuseandrep...@gmail.com wrote:
  Hi,
  So I just purchased a Dedicated server from this one company and I have a
  /24 IPv4 block that I bought from a company on WebHostingTalk, but I am
  clueless on how to setup the /24 IPv4 block using the BGP Session. I want
  to set it up to run through their network as if it was one of their IPs,
  etc. I keep seeing things like iBGP (which I think means like a inner
  routing BGP) and eBGP (what I'm talking about??) but I have no idea how
 to
  set those up or which one I would need.
 
  Any help would be appreciated.
 
 
  Thanks!

Re: BGP Session

[Paul S.]

I believe you'll find that all of this gets a lot easier if you try to 
understand how layer 3 routing itself works instead of asking sparodic 
questions one at a time.


I recommend picking up a layer 3 routing book for the platform of your 
choice and going through the basics.


On 7/19/2014 午後 04:43, Abuse Contact wrote:

Hi,
Yeah, I need to turn on and off overtime, but I'm getting my own ASN very
soon so that shouldn't be a problem soon! :)
but how would I go about turning off a location at a certain time?


Thanks!


On Wed, Jul 16, 2014 at 5:50 PM, Jonathan Lassoff j...@thejof.com wrote:


Wow -- be careful playing with public eBGP sessions unless you know
what you're doing. It can affect the entire Internet.

Since you're just connecting to a single upstream ISP, you wont
qualify for a public AS number. So, you'll have to work with your
upstream ISP to agree on a private AS number you can use.
You will be setting up an eBGP session (which is a session between two
different AS numbers, as opposed to iBGP, wherein the AS numbers are
the same).

As for running BGP on a dedicated server, it'll depend on the OS in
use. Assuming Linux, take a look at Quagga, BIRD, and ExaBGP.
http://www.nongnu.org/quagga/
http://bird.network.cz/
https://code.google.com/p/exabgp/


It may be a *lot* easier for you to just have your upstream ISP
announce your IP space, and route it to your dedicated server, unless
you need the ability to turn it off and on over time.

Cheers,
jof

On Wed, Jul 16, 2014 at 1:05 AM, Abuse Contact
stopabuseandrep...@gmail.com wrote:

Hi,
So I just purchased a Dedicated server from this one company and I have a
/24 IPv4 block that I bought from a company on WebHostingTalk, but I am
clueless on how to setup the /24 IPv4 block using the BGP Session. I want
to set it up to run through their network as if it was one of their IPs,
etc. I keep seeing things like iBGP (which I think means like a inner
routing BGP) and eBGP (what I'm talking about??) but I have no idea how

to

set those up or which one I would need.

Any help would be appreciated.


Thanks!

Re: Best practice for BGP session/ full routes for customer

[Anurag Bhatia]

Thanks everyone for insightful answers!


On Fri, Jul 18, 2014 at 6:09 AM, Mark Tinka mark.ti...@seacom.mu wrote:

 On Monday, July 14, 2014 07:32:43 PM Jeff Tantsura wrote:

  Mark,
 
  BGP to RIB filtering (in any vendor implementation) is
  targeting RR which is not in the forwarding path, so
  there¹s no forwarding towards any destination filtered
  out from RIB.
  Using it selectively on a forwarding node is error prone
  and in case of incorrect configuration would result in
  blackholing.

 As with every feature on a router, you need to know what
 you're doing to make it work.

 Don't blame the cows if you turn on knobs you have no
 business using, or don't care to learn the risks of.

 We use this feature in our network successfully, because we
 know what we're doing, and care to understand the risks.

 If I use it in a manner other than previously directed
 (while I know it's a use-case, I've never heard of any
 vendor saying it ONLY targeted out-of-path route reflectors,
 but then again, I don't generally walk vendor corridors for
 the scoop), well, welcome to the Internet; where core
 routers can either be behemoths that move air the size of a
 football field and could be mistaken for seismic detection
 machines, or last generation's x86 home desktop running
 Quagga and grandma's health app :-).

 Mark.




-- 


Anurag Bhatia
anuragbhatia.com

Linkedin http://in.linkedin.com/in/anuragbhatia21 | Twitter
https://twitter.com/anurag_bhatia
Skype: anuragbhatia.com

PGP Key Fingerprint: 3115 677D 2E94 B696 651B 870C C06D D524 245E 58E2

Re: BGP Session

[William Herrin]

On Wed, Jul 16, 2014 at 4:05 AM, Abuse Contact
stopabuseandrep...@gmail.com wrote:
 So I just purchased a Dedicated server from this one company and I have a
 /24 IPv4 block that I bought from a company on WebHostingTalk, but I am
 clueless on how to setup the /24 IPv4 block using the BGP Session. I want
 to set it up to run through their network as if it was one of their IPs,
 etc. I keep seeing things like iBGP (which I think means like a inner
 routing BGP) and eBGP (what I'm talking about??) but I have no idea how to
 set those up or which one I would need.

Howdy,

Unless you have (1) a real router available, not a just a server and
(2) an expert available to help you with your first BGP configuration
I strongly recommend you simply ask your service provider to announce
the /24 to the Internet on your behalf.

Server-based BGP software like Quagga for Linux is reasonably good but
it should absolutely not be involved in your _first_ attempt to
connect with the Internet's default-free zone. Simple mistakes with
eBGP can cause tremendous damage to other folks on the Internet. Trial
and error is simply not OK. If it isn't worth it to you to buy a
BGP-capable router then you also aren't prepared to make the
investment in learning it takes to use BGP without causing harm.

Regards,
Bill Herrin


-- 
William Herrin  her...@dirtside.com  b...@herrin.us
Owner, Dirtside Systems . Web: http://www.dirtside.com/
Can I solve your unusual networking challenges?

Re: BGP Session

[Abuse Contact]

I know, the DC is going to be giving me a BGP session on their router so I
can set it up, I'm not using a Linux server as a router.


On Sat, Jul 19, 2014 at 9:04 AM, William Herrin b...@herrin.us wrote:

 On Wed, Jul 16, 2014 at 4:05 AM, Abuse Contact
 stopabuseandrep...@gmail.com wrote:
  So I just purchased a Dedicated server from this one company and I have a
  /24 IPv4 block that I bought from a company on WebHostingTalk, but I am
  clueless on how to setup the /24 IPv4 block using the BGP Session. I want
  to set it up to run through their network as if it was one of their IPs,
  etc. I keep seeing things like iBGP (which I think means like a inner
  routing BGP) and eBGP (what I'm talking about??) but I have no idea how
 to
  set those up or which one I would need.

 Howdy,

 Unless you have (1) a real router available, not a just a server and
 (2) an expert available to help you with your first BGP configuration
 I strongly recommend you simply ask your service provider to announce
 the /24 to the Internet on your behalf.

 Server-based BGP software like Quagga for Linux is reasonably good but
 it should absolutely not be involved in your _first_ attempt to
 connect with the Internet's default-free zone. Simple mistakes with
 eBGP can cause tremendous damage to other folks on the Internet. Trial
 and error is simply not OK. If it isn't worth it to you to buy a
 BGP-capable router then you also aren't prepared to make the
 investment in learning it takes to use BGP without causing harm.

 Regards,
 Bill Herrin


 --
 William Herrin  her...@dirtside.com  b...@herrin.us
 Owner, Dirtside Systems . Web: http://www.dirtside.com/
 Can I solve your unusual networking challenges?

Re: BGP Session

[Suresh Ramasubramanian]

A single linux box with a whole /24 on it? What sort of use case is that,
BTW?
 On 19-Jul-2014 10:26 pm, Abuse Contact stopabuseandrep...@gmail.com
wrote:

 I know, the DC is going to be giving me a BGP session on their router so I
 can set it up, I'm not using a Linux server as a router.


 On Sat, Jul 19, 2014 at 9:04 AM, William Herrin b...@herrin.us wrote:

  On Wed, Jul 16, 2014 at 4:05 AM, Abuse Contact
  stopabuseandrep...@gmail.com wrote:
   So I just purchased a Dedicated server from this one company and I
 have a
   /24 IPv4 block that I bought from a company on WebHostingTalk, but I am
   clueless on how to setup the /24 IPv4 block using the BGP Session. I
 want
   to set it up to run through their network as if it was one of their
 IPs,
   etc. I keep seeing things like iBGP (which I think means like a inner
   routing BGP) and eBGP (what I'm talking about??) but I have no idea how
  to
   set those up or which one I would need.
 
  Howdy,
 
  Unless you have (1) a real router available, not a just a server and
  (2) an expert available to help you with your first BGP configuration
  I strongly recommend you simply ask your service provider to announce
  the /24 to the Internet on your behalf.
 
  Server-based BGP software like Quagga for Linux is reasonably good but
  it should absolutely not be involved in your _first_ attempt to
  connect with the Internet's default-free zone. Simple mistakes with
  eBGP can cause tremendous damage to other folks on the Internet. Trial
  and error is simply not OK. If it isn't worth it to you to buy a
  BGP-capable router then you also aren't prepared to make the
  investment in learning it takes to use BGP without causing harm.
 
  Regards,
  Bill Herrin
 
 
  --
  William Herrin  her...@dirtside.com  b...@herrin.us
  Owner, Dirtside Systems . Web: http://www.dirtside.com/
  Can I solve your unusual networking challenges?
 

Re: BGP Session

[Abuse Contact]

Proxying.


On Sat, Jul 19, 2014 at 9:59 AM, Suresh Ramasubramanian ops.li...@gmail.com
 wrote:

 A single linux box with a whole /24 on it? What sort of use case is that,
 BTW?
  On 19-Jul-2014 10:26 pm, Abuse Contact stopabuseandrep...@gmail.com
 wrote:

 I know, the DC is going to be giving me a BGP session on their router so I
 can set it up, I'm not using a Linux server as a router.


 On Sat, Jul 19, 2014 at 9:04 AM, William Herrin b...@herrin.us wrote:

  On Wed, Jul 16, 2014 at 4:05 AM, Abuse Contact
  stopabuseandrep...@gmail.com wrote:
   So I just purchased a Dedicated server from this one company and I
 have a
   /24 IPv4 block that I bought from a company on WebHostingTalk, but I
 am
   clueless on how to setup the /24 IPv4 block using the BGP Session. I
 want
   to set it up to run through their network as if it was one of their
 IPs,
   etc. I keep seeing things like iBGP (which I think means like a inner
   routing BGP) and eBGP (what I'm talking about??) but I have no idea
 how
  to
   set those up or which one I would need.
 
  Howdy,
 
  Unless you have (1) a real router available, not a just a server and
  (2) an expert available to help you with your first BGP configuration
  I strongly recommend you simply ask your service provider to announce
  the /24 to the Internet on your behalf.
 
  Server-based BGP software like Quagga for Linux is reasonably good but
  it should absolutely not be involved in your _first_ attempt to
  connect with the Internet's default-free zone. Simple mistakes with
  eBGP can cause tremendous damage to other folks on the Internet. Trial
  and error is simply not OK. If it isn't worth it to you to buy a
  BGP-capable router then you also aren't prepared to make the
  investment in learning it takes to use BGP without causing harm.
 
  Regards,
  Bill Herrin
 
 
  --
  William Herrin  her...@dirtside.com  b...@herrin.us
  Owner, Dirtside Systems . Web: http://www.dirtside.com/
  Can I solve your unusual networking challenges?
 

Re: BGP Session

[Jonathan Lassoff]

An Anycasting node. For example, as part of a reliable DNS service.
A /24 is usually the smallest prefix length that is portably accepted.

Also, applications where connections need to appear to be coming from many
source IPs.

On Saturday, July 19, 2014, Suresh Ramasubramanian ops.li...@gmail.com
wrote:

 A single linux box with a whole /24 on it? What sort of use case is that,
 BTW?
  On 19-Jul-2014 10:26 pm, Abuse Contact stopabuseandrep...@gmail.com
 javascript:;
 wrote:

  I know, the DC is going to be giving me a BGP session on their router so
 I
  can set it up, I'm not using a Linux server as a router.
 
 
  On Sat, Jul 19, 2014 at 9:04 AM, William Herrin b...@herrin.us
 javascript:; wrote:
 
   On Wed, Jul 16, 2014 at 4:05 AM, Abuse Contact
   stopabuseandrep...@gmail.com javascript:; wrote:
So I just purchased a Dedicated server from this one company and I
  have a
/24 IPv4 block that I bought from a company on WebHostingTalk, but I
 am
clueless on how to setup the /24 IPv4 block using the BGP Session. I
  want
to set it up to run through their network as if it was one of their
  IPs,
etc. I keep seeing things like iBGP (which I think means like a inner
routing BGP) and eBGP (what I'm talking about??) but I have no idea
 how
   to
set those up or which one I would need.
  
   Howdy,
  
   Unless you have (1) a real router available, not a just a server and
   (2) an expert available to help you with your first BGP configuration
   I strongly recommend you simply ask your service provider to announce
   the /24 to the Internet on your behalf.
  
   Server-based BGP software like Quagga for Linux is reasonably good but
   it should absolutely not be involved in your _first_ attempt to
   connect with the Internet's default-free zone. Simple mistakes with
   eBGP can cause tremendous damage to other folks on the Internet. Trial
   and error is simply not OK. If it isn't worth it to you to buy a
   BGP-capable router then you also aren't prepared to make the
   investment in learning it takes to use BGP without causing harm.
  
   Regards,
   Bill Herrin
  
  
   --
   William Herrin  her...@dirtside.com javascript:;
 b...@herrin.us javascript:;
   Owner, Dirtside Systems . Web: http://www.dirtside.com/
   Can I solve your unusual networking challenges?
  
 

Re: BGP Session

[Abuse Contact]

Yeah, we're using it for an anycasted node but like, I'm confused on
certain parts like, just a really basic question.
When doing things like

conf t
router bgp AS1337

neighbor 208.54.128.0 remote-as AS13335
neighbor 208.54.128.0 description BGP with Upstream
neighbor 208.54.128.0 password lolpass

address-family ipv4
no synchronization
neighbor 208.54.128.0 activate
neighbor 208.54.128.0 soft-reconfiguration inboung

I'm confused on when doing this, would I need to state like

First go to AS13335 then go to TATA then go to my server or would it just
automatically do that or would my provider do that? I'm confused on that.
how would I state multiple peers.?


On Sat, Jul 19, 2014 at 10:06 AM, Jonathan Lassoff j...@thejof.com wrote:

 An Anycasting node. For example, as part of a reliable DNS service.
 A /24 is usually the smallest prefix length that is portably accepted.

 Also, applications where connections need to appear to be coming from many
 source IPs.


 On Saturday, July 19, 2014, Suresh Ramasubramanian ops.li...@gmail.com
 wrote:

 A single linux box with a whole /24 on it? What sort of use case is that,
 BTW?
  On 19-Jul-2014 10:26 pm, Abuse Contact stopabuseandrep...@gmail.com
 wrote:

  I know, the DC is going to be giving me a BGP session on their router
 so I
  can set it up, I'm not using a Linux server as a router.
 
 
  On Sat, Jul 19, 2014 at 9:04 AM, William Herrin b...@herrin.us wrote:
 
   On Wed, Jul 16, 2014 at 4:05 AM, Abuse Contact
   stopabuseandrep...@gmail.com wrote:
So I just purchased a Dedicated server from this one company and I
  have a
/24 IPv4 block that I bought from a company on WebHostingTalk, but
 I am
clueless on how to setup the /24 IPv4 block using the BGP Session. I
  want
to set it up to run through their network as if it was one of their
  IPs,
etc. I keep seeing things like iBGP (which I think means like a
 inner
routing BGP) and eBGP (what I'm talking about??) but I have no idea
 how
   to
set those up or which one I would need.
  
   Howdy,
  
   Unless you have (1) a real router available, not a just a server and
   (2) an expert available to help you with your first BGP configuration
   I strongly recommend you simply ask your service provider to announce
   the /24 to the Internet on your behalf.
  
   Server-based BGP software like Quagga for Linux is reasonably good but
   it should absolutely not be involved in your _first_ attempt to
   connect with the Internet's default-free zone. Simple mistakes with
   eBGP can cause tremendous damage to other folks on the Internet. Trial
   and error is simply not OK. If it isn't worth it to you to buy a
   BGP-capable router then you also aren't prepared to make the
   investment in learning it takes to use BGP without causing harm.
  
   Regards,
   Bill Herrin
  
  
   --
   William Herrin  her...@dirtside.com  b...@herrin.us
   Owner, Dirtside Systems . Web: http://www.dirtside.com/
   Can I solve your unusual networking challenges?
  
 

Re: BGP Session

[Jon Lewis]

Assuming this isn't some silly troll, you need to either hire someone with 
a bit more clue or see if your provider is willing to configure your 
router.  It sounds like you have no idea how IP routing works.


On Sat, 19 Jul 2014, Abuse Contact wrote:


Yeah, we're using it for an anycasted node but like, I'm confused on
certain parts like, just a really basic question.
When doing things like

conf t
router bgp AS1337

neighbor 208.54.128.0 remote-as AS13335
neighbor 208.54.128.0 description BGP with Upstream
neighbor 208.54.128.0 password lolpass

address-family ipv4
no synchronization
neighbor 208.54.128.0 activate
neighbor 208.54.128.0 soft-reconfiguration inboung

I'm confused on when doing this, would I need to state like

First go to AS13335 then go to TATA then go to my server or would it just
automatically do that or would my provider do that? I'm confused on that.
how would I state multiple peers.?


On Sat, Jul 19, 2014 at 10:06 AM, Jonathan Lassoff j...@thejof.com wrote:


An Anycasting node. For example, as part of a reliable DNS service.
A /24 is usually the smallest prefix length that is portably accepted.

Also, applications where connections need to appear to be coming from many
source IPs.


On Saturday, July 19, 2014, Suresh Ramasubramanian ops.li...@gmail.com
wrote:


A single linux box with a whole /24 on it? What sort of use case is that,
BTW?
 On 19-Jul-2014 10:26 pm, Abuse Contact stopabuseandrep...@gmail.com
wrote:


I know, the DC is going to be giving me a BGP session on their router

so I

can set it up, I'm not using a Linux server as a router.


On Sat, Jul 19, 2014 at 9:04 AM, William Herrin b...@herrin.us wrote:


On Wed, Jul 16, 2014 at 4:05 AM, Abuse Contact
stopabuseandrep...@gmail.com wrote:

So I just purchased a Dedicated server from this one company and I

have a

/24 IPv4 block that I bought from a company on WebHostingTalk, but

I am

clueless on how to setup the /24 IPv4 block using the BGP Session. I

want

to set it up to run through their network as if it was one of their

IPs,

etc. I keep seeing things like iBGP (which I think means like a

inner

routing BGP) and eBGP (what I'm talking about??) but I have no idea

how

to

set those up or which one I would need.


Howdy,

Unless you have (1) a real router available, not a just a server and
(2) an expert available to help you with your first BGP configuration
I strongly recommend you simply ask your service provider to announce
the /24 to the Internet on your behalf.

Server-based BGP software like Quagga for Linux is reasonably good but
it should absolutely not be involved in your _first_ attempt to
connect with the Internet's default-free zone. Simple mistakes with
eBGP can cause tremendous damage to other folks on the Internet. Trial
and error is simply not OK. If it isn't worth it to you to buy a
BGP-capable router then you also aren't prepared to make the
investment in learning it takes to use BGP without causing harm.

Regards,
Bill Herrin


--
William Herrin  her...@dirtside.com  b...@herrin.us
Owner, Dirtside Systems . Web: http://www.dirtside.com/
Can I solve your unusual networking challenges?











--
 Jon Lewis, MCP :)   |  I route
 |  therefore you are
_ http://www.lewis.org/~jlewis/pgp for PGP public key_

Re: BGP Session

[Jonathan Lassoff]

On Sat, Jul 19, 2014 at 10:12 AM, Abuse Contact
stopabuseandrep...@gmail.com wrote:
 Yeah, we're using it for an anycasted node but like, I'm confused on certain
 parts like, just a really basic question.
 When doing things like

 conf t
 router bgp AS1337

 neighbor 208.54.128.0 remote-as AS13335
 neighbor 208.54.128.0 description BGP with Upstream
 neighbor 208.54.128.0 password lolpass

 address-family ipv4
 no synchronization
 neighbor 208.54.128.0 activate
 neighbor 208.54.128.0 soft-reconfiguration inboung

 I'm confused on when doing this, would I need to state like

 First go to AS13335 then go to TATA then go to my server or would it just
 automatically do that or would my provider do that? I'm confused on that.
 how would I state multiple peers.?

AS13335 is Cloudflare.
How does TATA relate? You have a deicated server connected to TATA and
Cloudflare? I'm skeptical.

You really ought to do some more reading, learning, and practicing
before running public BGP.

I would recommend reading this book cover-to-cover:
http://www.bgpexpert.com/'BGP'-by-Iljitsch-van-Beijnum/
It's only ~250 small pages.
To practice and experiment, emulate some example configurations with
GNS3 and Dynamips, or some Linux VMs with Quagga or BIRD.




 On Sat, Jul 19, 2014 at 10:06 AM, Jonathan Lassoff j...@thejof.com wrote:

 An Anycasting node. For example, as part of a reliable DNS service.
 A /24 is usually the smallest prefix length that is portably accepted.

 Also, applications where connections need to appear to be coming from many
 source IPs.


 On Saturday, July 19, 2014, Suresh Ramasubramanian ops.li...@gmail.com
 wrote:

 A single linux box with a whole /24 on it? What sort of use case is that,
 BTW?
  On 19-Jul-2014 10:26 pm, Abuse Contact stopabuseandrep...@gmail.com
 wrote:

  I know, the DC is going to be giving me a BGP session on their router
  so I
  can set it up, I'm not using a Linux server as a router.
 
 
  On Sat, Jul 19, 2014 at 9:04 AM, William Herrin b...@herrin.us wrote:
 
   On Wed, Jul 16, 2014 at 4:05 AM, Abuse Contact
   stopabuseandrep...@gmail.com wrote:
So I just purchased a Dedicated server from this one company and I
  have a
/24 IPv4 block that I bought from a company on WebHostingTalk, but
I am
clueless on how to setup the /24 IPv4 block using the BGP Session.
I
  want
to set it up to run through their network as if it was one of their
  IPs,
etc. I keep seeing things like iBGP (which I think means like a
inner
routing BGP) and eBGP (what I'm talking about??) but I have no idea
how
   to
set those up or which one I would need.
  
   Howdy,
  
   Unless you have (1) a real router available, not a just a server and
   (2) an expert available to help you with your first BGP configuration
   I strongly recommend you simply ask your service provider to announce
   the /24 to the Internet on your behalf.
  
   Server-based BGP software like Quagga for Linux is reasonably good
   but
   it should absolutely not be involved in your _first_ attempt to
   connect with the Internet's default-free zone. Simple mistakes with
   eBGP can cause tremendous damage to other folks on the Internet.
   Trial
   and error is simply not OK. If it isn't worth it to you to buy a
   BGP-capable router then you also aren't prepared to make the
   investment in learning it takes to use BGP without causing harm.
  
   Regards,
   Bill Herrin
  
  
   --
   William Herrin  her...@dirtside.com  b...@herrin.us
   Owner, Dirtside Systems . Web: http://www.dirtside.com/
   Can I solve your unusual networking challenges?
  
 

Re: BGP Session

[Abuse Contact]

Oh no, I just used the first ASNs that came to mind :P


On Sat, Jul 19, 2014 at 10:23 AM, Jonathan Lassoff j...@thejof.com wrote:

 On Sat, Jul 19, 2014 at 10:12 AM, Abuse Contact
 stopabuseandrep...@gmail.com wrote:
  Yeah, we're using it for an anycasted node but like, I'm confused on
 certain
  parts like, just a really basic question.
  When doing things like
 
  conf t
  router bgp AS1337
 
  neighbor 208.54.128.0 remote-as AS13335
  neighbor 208.54.128.0 description BGP with Upstream
  neighbor 208.54.128.0 password lolpass
 
  address-family ipv4
  no synchronization
  neighbor 208.54.128.0 activate
  neighbor 208.54.128.0 soft-reconfiguration inboung
 
  I'm confused on when doing this, would I need to state like
 
  First go to AS13335 then go to TATA then go to my server or would it just
  automatically do that or would my provider do that? I'm confused on that.
  how would I state multiple peers.?

 AS13335 is Cloudflare.
 How does TATA relate? You have a deicated server connected to TATA and
 Cloudflare? I'm skeptical.

 You really ought to do some more reading, learning, and practicing
 before running public BGP.

 I would recommend reading this book cover-to-cover:
 http://www.bgpexpert.com/'BGP'-by-Iljitsch-van-Beijnum/
 It's only ~250 small pages.
 To practice and experiment, emulate some example configurations with
 GNS3 and Dynamips, or some Linux VMs with Quagga or BIRD.


 
 
  On Sat, Jul 19, 2014 at 10:06 AM, Jonathan Lassoff j...@thejof.com
 wrote:
 
  An Anycasting node. For example, as part of a reliable DNS service.
  A /24 is usually the smallest prefix length that is portably accepted.
 
  Also, applications where connections need to appear to be coming from
 many
  source IPs.
 
 
  On Saturday, July 19, 2014, Suresh Ramasubramanian ops.li...@gmail.com
 
  wrote:
 
  A single linux box with a whole /24 on it? What sort of use case is
 that,
  BTW?
   On 19-Jul-2014 10:26 pm, Abuse Contact 
 stopabuseandrep...@gmail.com
  wrote:
 
   I know, the DC is going to be giving me a BGP session on their router
   so I
   can set it up, I'm not using a Linux server as a router.
  
  
   On Sat, Jul 19, 2014 at 9:04 AM, William Herrin b...@herrin.us
 wrote:
  
On Wed, Jul 16, 2014 at 4:05 AM, Abuse Contact
stopabuseandrep...@gmail.com wrote:
 So I just purchased a Dedicated server from this one company and
 I
   have a
 /24 IPv4 block that I bought from a company on WebHostingTalk,
 but
 I am
 clueless on how to setup the /24 IPv4 block using the BGP
 Session.
 I
   want
 to set it up to run through their network as if it was one of
 their
   IPs,
 etc. I keep seeing things like iBGP (which I think means like a
 inner
 routing BGP) and eBGP (what I'm talking about??) but I have no
 idea
 how
to
 set those up or which one I would need.
   
Howdy,
   
Unless you have (1) a real router available, not a just a server
 and
(2) an expert available to help you with your first BGP
 configuration
I strongly recommend you simply ask your service provider to
 announce
the /24 to the Internet on your behalf.
   
Server-based BGP software like Quagga for Linux is reasonably good
but
it should absolutely not be involved in your _first_ attempt to
connect with the Internet's default-free zone. Simple mistakes with
eBGP can cause tremendous damage to other folks on the Internet.
Trial
and error is simply not OK. If it isn't worth it to you to buy a
BGP-capable router then you also aren't prepared to make the
investment in learning it takes to use BGP without causing harm.
   
Regards,
Bill Herrin
   
   
--
William Herrin  her...@dirtside.com
 b...@herrin.us
Owner, Dirtside Systems . Web: http://www.dirtside.com/
Can I solve your unusual networking challenges?
   
  
 
 

Re: BGP Session

[Scott Morris]

Fundamental routing training would greatly help you here.  I would suggest
looking for that.

If you are not peering with TATA, then your routes would not go to TATA
first.  (unless the next-hop is indirect and that brings up other
fundamental routing things that you should learn about)

AS13335 is not TATA.  So if this is what your provider gave you, one first
assumes you¹d be directly connected to them (that¹s one of the rules in
BGP¹s RFC for external connections)..  If you have multiple providers, you
may have multiple peers.  Each one would give you information.

But like others have stated, I would strongly suggest you stop your
testing for the moment and either hire someone to help or take some time
to learn the basics on there.  Otherwise, successful or not, your testing
will really have no meaning to you.

Just my two cents.

Scott


-Original Message-
From: Abuse Contact stopabuseandrep...@gmail.com
Date: Saturday, July 19, 2014 at 1:12 PM
To: Jonathan Lassoff j...@thejof.com
Cc: nanog@nanog.org nanog@nanog.org
Subject: Re: BGP Session

Yeah, we're using it for an anycasted node but like, I'm confused on
certain parts like, just a really basic question.
When doing things like

conf t
router bgp AS1337

neighbor 208.54.128.0 remote-as AS13335
neighbor 208.54.128.0 description BGP with Upstream
neighbor 208.54.128.0 password lolpass

address-family ipv4
no synchronization
neighbor 208.54.128.0 activate
neighbor 208.54.128.0 soft-reconfiguration inboung

I'm confused on when doing this, would I need to state like

First go to AS13335 then go to TATA then go to my server or would it just
automatically do that or would my provider do that? I'm confused on that.
how would I state multiple peers.?


On Sat, Jul 19, 2014 at 10:06 AM, Jonathan Lassoff j...@thejof.com wrote:

 An Anycasting node. For example, as part of a reliable DNS service.
 A /24 is usually the smallest prefix length that is portably accepted.

 Also, applications where connections need to appear to be coming from
many
 source IPs.


 On Saturday, July 19, 2014, Suresh Ramasubramanian ops.li...@gmail.com
 wrote:

 A single linux box with a whole /24 on it? What sort of use case is
that,
 BTW?
  On 19-Jul-2014 10:26 pm, Abuse Contact
stopabuseandrep...@gmail.com
 wrote:

  I know, the DC is going to be giving me a BGP session on their router
 so I
  can set it up, I'm not using a Linux server as a router.
 
 
  On Sat, Jul 19, 2014 at 9:04 AM, William Herrin b...@herrin.us
wrote:
 
   On Wed, Jul 16, 2014 at 4:05 AM, Abuse Contact
   stopabuseandrep...@gmail.com wrote:
So I just purchased a Dedicated server from this one company and
I
  have a
/24 IPv4 block that I bought from a company on WebHostingTalk,
but
 I am
clueless on how to setup the /24 IPv4 block using the BGP
Session. I
  want
to set it up to run through their network as if it was one of
their
  IPs,
etc. I keep seeing things like iBGP (which I think means like a
 inner
routing BGP) and eBGP (what I'm talking about??) but I have no
idea
 how
   to
set those up or which one I would need.
  
   Howdy,
  
   Unless you have (1) a real router available, not a just a server
and
   (2) an expert available to help you with your first BGP
configuration
   I strongly recommend you simply ask your service provider to
announce
   the /24 to the Internet on your behalf.
  
   Server-based BGP software like Quagga for Linux is reasonably good
but
   it should absolutely not be involved in your _first_ attempt to
   connect with the Internet's default-free zone. Simple mistakes with
   eBGP can cause tremendous damage to other folks on the Internet.
Trial
   and error is simply not OK. If it isn't worth it to you to buy a
   BGP-capable router then you also aren't prepared to make the
   investment in learning it takes to use BGP without causing harm.
  
   Regards,
   Bill Herrin
  
  
   --
   William Herrin  her...@dirtside.com  b...@herrin.us
   Owner, Dirtside Systems . Web: http://www.dirtside.com/
   Can I solve your unusual networking challenges?
  
 

Re: BGP Session

[Abuse Contact]

Yeah, that's probably the best idea in this situation. I've been really
interested in BGP but didn't know where to start, I'll read all the books
that you guys put up above and start reading them.
Also, referring to what you said
If you are not peering with TATA, then your routes would not go to TATA
first.  (unless the next-hop is indirect and that brings up other
fundamental routing things that you should learn about)
Yeah, I meant that if I was getting a Transit service from them. Like, if
using a DC like Equinix, you have access to countless amounts of
opportunities to use Transits from virtually any provider, if I were to
contact TATA and ask for a transit, I'd set that up in BGP, but I'm
confused on how. I'll look into Fundamental routing.

Thanks!


On Sat, Jul 19, 2014 at 10:29 AM, Scott Morris s...@emanon.com wrote:

 Fundamental routing training would greatly help you here.  I would suggest
 looking for that.

 If you are not peering with TATA, then your routes would not go to TATA
 first.  (unless the next-hop is indirect and that brings up other
 fundamental routing things that you should learn about)

 AS13335 is not TATA.  So if this is what your provider gave you, one first
 assumes you¹d be directly connected to them (that¹s one of the rules in
 BGP¹s RFC for external connections)..  If you have multiple providers, you
 may have multiple peers.  Each one would give you information.

 But like others have stated, I would strongly suggest you stop your
 testing for the moment and either hire someone to help or take some time
 to learn the basics on there.  Otherwise, successful or not, your testing
 will really have no meaning to you.

 Just my two cents.

 Scott


 -Original Message-
 From: Abuse Contact stopabuseandrep...@gmail.com
 Date: Saturday, July 19, 2014 at 1:12 PM
 To: Jonathan Lassoff j...@thejof.com
 Cc: nanog@nanog.org nanog@nanog.org
 Subject: Re: BGP Session

 Yeah, we're using it for an anycasted node but like, I'm confused on
 certain parts like, just a really basic question.
 When doing things like
 
 conf t
 router bgp AS1337
 
 neighbor 208.54.128.0 remote-as AS13335
 neighbor 208.54.128.0 description BGP with Upstream
 neighbor 208.54.128.0 password lolpass
 
 address-family ipv4
 no synchronization
 neighbor 208.54.128.0 activate
 neighbor 208.54.128.0 soft-reconfiguration inboung
 
 I'm confused on when doing this, would I need to state like
 
 First go to AS13335 then go to TATA then go to my server or would it just
 automatically do that or would my provider do that? I'm confused on that.
 how would I state multiple peers.?
 
 
 On Sat, Jul 19, 2014 at 10:06 AM, Jonathan Lassoff j...@thejof.com
 wrote:
 
  An Anycasting node. For example, as part of a reliable DNS service.
  A /24 is usually the smallest prefix length that is portably accepted.
 
  Also, applications where connections need to appear to be coming from
 many
  source IPs.
 
 
  On Saturday, July 19, 2014, Suresh Ramasubramanian ops.li...@gmail.com
 
  wrote:
 
  A single linux box with a whole /24 on it? What sort of use case is
 that,
  BTW?
   On 19-Jul-2014 10:26 pm, Abuse Contact
 stopabuseandrep...@gmail.com
  wrote:
 
   I know, the DC is going to be giving me a BGP session on their router
  so I
   can set it up, I'm not using a Linux server as a router.
  
  
   On Sat, Jul 19, 2014 at 9:04 AM, William Herrin b...@herrin.us
 wrote:
  
On Wed, Jul 16, 2014 at 4:05 AM, Abuse Contact
stopabuseandrep...@gmail.com wrote:
 So I just purchased a Dedicated server from this one company and
 I
   have a
 /24 IPv4 block that I bought from a company on WebHostingTalk,
 but
  I am
 clueless on how to setup the /24 IPv4 block using the BGP
 Session. I
   want
 to set it up to run through their network as if it was one of
 their
   IPs,
 etc. I keep seeing things like iBGP (which I think means like a
  inner
 routing BGP) and eBGP (what I'm talking about??) but I have no
 idea
  how
to
 set those up or which one I would need.
   
Howdy,
   
Unless you have (1) a real router available, not a just a server
 and
(2) an expert available to help you with your first BGP
 configuration
I strongly recommend you simply ask your service provider to
 announce
the /24 to the Internet on your behalf.
   
Server-based BGP software like Quagga for Linux is reasonably good
 but
it should absolutely not be involved in your _first_ attempt to
connect with the Internet's default-free zone. Simple mistakes with
eBGP can cause tremendous damage to other folks on the Internet.
 Trial
and error is simply not OK. If it isn't worth it to you to buy a
BGP-capable router then you also aren't prepared to make the
investment in learning it takes to use BGP without causing harm.
   
Regards,
Bill Herrin
   
   
--
William Herrin  her...@dirtside.com
 b...@herrin.us
Owner, Dirtside Systems . Web

Re: BGP Session

[Owen DeLong]

When did the NANOG list become freeconsulting.org?

Owen

On Jul 19, 2014, at 10:12 , Abuse Contact stopabuseandrep...@gmail.com wrote:

 Yeah, we're using it for an anycasted node but like, I'm confused on
 certain parts like, just a really basic question.
 When doing things like
 
 conf t
 router bgp AS1337
 
 neighbor 208.54.128.0 remote-as AS13335
 neighbor 208.54.128.0 description BGP with Upstream
 neighbor 208.54.128.0 password lolpass
 
 address-family ipv4
 no synchronization
 neighbor 208.54.128.0 activate
 neighbor 208.54.128.0 soft-reconfiguration inboung
 
 I'm confused on when doing this, would I need to state like
 
 First go to AS13335 then go to TATA then go to my server or would it just
 automatically do that or would my provider do that? I'm confused on that.
 how would I state multiple peers.?
 
 
 On Sat, Jul 19, 2014 at 10:06 AM, Jonathan Lassoff j...@thejof.com wrote:
 
 An Anycasting node. For example, as part of a reliable DNS service.
 A /24 is usually the smallest prefix length that is portably accepted.
 
 Also, applications where connections need to appear to be coming from many
 source IPs.
 
 
 On Saturday, July 19, 2014, Suresh Ramasubramanian ops.li...@gmail.com
 wrote:
 
 A single linux box with a whole /24 on it? What sort of use case is that,
 BTW?
 On 19-Jul-2014 10:26 pm, Abuse Contact stopabuseandrep...@gmail.com
 wrote:
 
 I know, the DC is going to be giving me a BGP session on their router
 so I
 can set it up, I'm not using a Linux server as a router.
 
 
 On Sat, Jul 19, 2014 at 9:04 AM, William Herrin b...@herrin.us wrote:
 
 On Wed, Jul 16, 2014 at 4:05 AM, Abuse Contact
 stopabuseandrep...@gmail.com wrote:
 So I just purchased a Dedicated server from this one company and I
 have a
 /24 IPv4 block that I bought from a company on WebHostingTalk, but
 I am
 clueless on how to setup the /24 IPv4 block using the BGP Session. I
 want
 to set it up to run through their network as if it was one of their
 IPs,
 etc. I keep seeing things like iBGP (which I think means like a
 inner
 routing BGP) and eBGP (what I'm talking about??) but I have no idea
 how
 to
 set those up or which one I would need.
 
 Howdy,
 
 Unless you have (1) a real router available, not a just a server and
 (2) an expert available to help you with your first BGP configuration
 I strongly recommend you simply ask your service provider to announce
 the /24 to the Internet on your behalf.
 
 Server-based BGP software like Quagga for Linux is reasonably good but
 it should absolutely not be involved in your _first_ attempt to
 connect with the Internet's default-free zone. Simple mistakes with
 eBGP can cause tremendous damage to other folks on the Internet. Trial
 and error is simply not OK. If it isn't worth it to you to buy a
 BGP-capable router then you also aren't prepared to make the
 investment in learning it takes to use BGP without causing harm.
 
 Regards,
 Bill Herrin
 
 
 --
 William Herrin  her...@dirtside.com  b...@herrin.us
 Owner, Dirtside Systems . Web: http://www.dirtside.com/
 Can I solve your unusual networking challenges?
 
 
 
 

Re: BGP Session

[Fletcher Kittredge]

On Sat, Jul 19, 2014 at 6:36 PM, Owen DeLong o...@delong.com wrote:

 When did the NANOG list become freeconsulting.org?

 Owen


1996


-- 
Fletcher Kittredge
GWI
8 Pomerleau Street
Biddeford, ME 04005-9457
207-602-1134

Re: BGP Session

[Valdis . Kletnieks]

On Sat, 19 Jul 2014 15:36:02 -0700, Owen DeLong said:
 When did the NANOG list become freeconsulting.org?

I read that post, and I had a severe attack of If you have to ask this
question, you're not going to understand any answer short enough to fit
in a NANOG post


pgpGmur2Q5sG5.pgp
Description: PGP signature

RE: BGP Session

[Tim Burke]

Sounds like one of those sketchy 'triple-opt-in' mailing lists... :-)

Or they're running 37 FTP's, 6 Ventrillos, 71 teleconferences, etc. Oh, and 
SSL. Can't forget about SSL. 

-Original Message-
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Suresh Ramasubramanian
Sent: Saturday, July 19, 2014 11:59 AM
To: Abuse Contact
Cc: nanog@nanog.org
Subject: Re: BGP Session

A single linux box with a whole /24 on it? What sort of use case is that, BTW?
 On 19-Jul-2014 10:26 pm, Abuse Contact stopabuseandrep...@gmail.com
wrote:

 I know, the DC is going to be giving me a BGP session on their router 
 so I can set it up, I'm not using a Linux server as a router.


 On Sat, Jul 19, 2014 at 9:04 AM, William Herrin b...@herrin.us wrote:

  On Wed, Jul 16, 2014 at 4:05 AM, Abuse Contact 
  stopabuseandrep...@gmail.com wrote:
   So I just purchased a Dedicated server from this one company and I
 have a
   /24 IPv4 block that I bought from a company on WebHostingTalk, but 
   I am clueless on how to setup the /24 IPv4 block using the BGP 
   Session. I
 want
   to set it up to run through their network as if it was one of 
   their
 IPs,
   etc. I keep seeing things like iBGP (which I think means like a 
   inner routing BGP) and eBGP (what I'm talking about??) but I have 
   no idea how
  to
   set those up or which one I would need.
 
  Howdy,
 
  Unless you have (1) a real router available, not a just a server and
  (2) an expert available to help you with your first BGP 
  configuration I strongly recommend you simply ask your service 
  provider to announce the /24 to the Internet on your behalf.
 
  Server-based BGP software like Quagga for Linux is reasonably good 
  but it should absolutely not be involved in your _first_ attempt to 
  connect with the Internet's default-free zone. Simple mistakes with 
  eBGP can cause tremendous damage to other folks on the Internet. 
  Trial and error is simply not OK. If it isn't worth it to you to buy 
  a BGP-capable router then you also aren't prepared to make the 
  investment in learning it takes to use BGP without causing harm.
 
  Regards,
  Bill Herrin
 
 
  --
  William Herrin  her...@dirtside.com  b...@herrin.us 
  Owner, Dirtside Systems . Web: http://www.dirtside.com/ 
  Can I solve your unusual networking challenges?
 

Re: Best practice for BGP session/ full routes for customer

[Nick Hilliard]

On 14/07/2014 18:32, Jeff Tantsura wrote:
 BGP to RIB filtering (in any vendor implementation) is targeting RR which
 is not in the forwarding path, so there¹s no forwarding towards any
 destination filtered out from RIB.
 Using it selectively on a forwarding node is error prone and in case of
 incorrect configuration would result in blackholing.

there are other drawbacks too: the difference in convergence time between 
24k prefixes  and a full dfz is usually going to be large although I
haven't tested this on an me3600x yet.  Also these boxes only have 1G of
memory might be a bit tight as the dfz increases.  For sure, it's already
not enough on a bunch of other vanilla ios platforms.

Nick

 
 Cheers,
 Jeff
 
 
 
 
 -Original Message-
 From: Mark Tinka mark.ti...@seacom.mu
 Organization: SEACOM
 Reply-To: mark.ti...@seacom.mu
 Date: Tuesday, July 8, 2014 at 1:56 PM
 To: nanog@nanog.org nanog@nanog.org
 Subject: Re: Best practice for BGP session/ full routes for customer
 
 On Monday, July 07, 2014 08:33:12 PM Anurag Bhatia wrote:

 In this scenario what is best practice for giving full
 table to downstream?

 In our case, we have three types of edge routers; Juniper
 MX480 + Cisco ASR1006, and the Cisco ME3600X.

 For the MX480 and ASR1006 have no problems supporting a full
 table. So customers peer natively.

 The ME3600X is a small switch, that supports only up to
 24,000 IPv4 and 5,000 IPv6 FIB entries. However, Cisco have
 a feature called BGP Selective Download:

  http://tinyurl.com/nodnmct

 Using BGP-SD, we can send a full BGP table from our route
 reflectors to our ME3600X switches, without worrying about
 them entering the FIB, i.e., they are held only in memory.
 The beauty - you can advertise these routes to customers
 natively, without clunky eBGP Multi-Hop sessions running
 rampant.

 Of course, with BGP-SD, you still need a 0/0 + ::/0 route in
 the FIB for traffic to flow from your customers upstream,
 but that is fine as it's only two entries :-).

 If your system supports a BGP-SD-type implementation, I'd
 recommend it, provided you have sufficient control plane
 memory.

 Cheers,

 Mark.
 
 

Re: Best practice for BGP session/ full routes for customer

[Mark Tinka]

On Monday, July 14, 2014 07:32:43 PM Jeff Tantsura wrote:

 Mark,
 
 BGP to RIB filtering (in any vendor implementation) is
 targeting RR which is not in the forwarding path, so
 there¹s no forwarding towards any destination filtered
 out from RIB.
 Using it selectively on a forwarding node is error prone
 and in case of incorrect configuration would result in
 blackholing.

As with every feature on a router, you need to know what 
you're doing to make it work.

Don't blame the cows if you turn on knobs you have no 
business using, or don't care to learn the risks of.

We use this feature in our network successfully, because we 
know what we're doing, and care to understand the risks.

If I use it in a manner other than previously directed 
(while I know it's a use-case, I've never heard of any 
vendor saying it ONLY targeted out-of-path route reflectors, 
but then again, I don't generally walk vendor corridors for 
the scoop), well, welcome to the Internet; where core 
routers can either be behemoths that move air the size of a 
football field and could be mistaken for seismic detection 
machines, or last generation's x86 home desktop running 
Quagga and grandma's health app :-).

Mark.


signature.asc
Description: This is a digitally signed message part.

BGP Session

[Abuse Contact]

Hi,
So I just purchased a Dedicated server from this one company and I have a
/24 IPv4 block that I bought from a company on WebHostingTalk, but I am
clueless on how to setup the /24 IPv4 block using the BGP Session. I want
to set it up to run through their network as if it was one of their IPs,
etc. I keep seeing things like iBGP (which I think means like a inner
routing BGP) and eBGP (what I'm talking about??) but I have no idea how to
set those up or which one I would need.

Any help would be appreciated.


Thanks!

Re: BGP Session

[Stephane Bortzmeyer]

I love the From: field :-)

Re: BGP Session

[manning bill]

whats not to love… its DKIM’d  everything

/bill
Neca eos omnes.  Deus suos agnoscet.

On 16July2014Wednesday, at 1:12, Stephane Bortzmeyer bortzme...@nic.fr wrote:

 I love the From: field :-)
 

Re: BGP Session

[Brandon Martin]

On 07/16/2014 04:05 AM, Abuse Contact wrote:

Hi,
So I just purchased a Dedicated server from this one company and I have a
/24 IPv4 block that I bought from a company on WebHostingTalk, but I am
clueless on how to setup the /24 IPv4 block using the BGP Session. I want
to set it up to run through their network as if it was one of their IPs,
etc. I keep seeing things like iBGP (which I think means like a inner
routing BGP) and eBGP (what I'm talking about??) but I have no idea how to
set those up or which one I would need.


Just ask your hosting provider to announce it for you and route it from 
their border to your box?


--
Brandon Martin

Re: BGP Session

[Jonathan Lassoff]

Wow -- be careful playing with public eBGP sessions unless you know
what you're doing. It can affect the entire Internet.

Since you're just connecting to a single upstream ISP, you wont
qualify for a public AS number. So, you'll have to work with your
upstream ISP to agree on a private AS number you can use.
You will be setting up an eBGP session (which is a session between two
different AS numbers, as opposed to iBGP, wherein the AS numbers are
the same).

As for running BGP on a dedicated server, it'll depend on the OS in
use. Assuming Linux, take a look at Quagga, BIRD, and ExaBGP.
http://www.nongnu.org/quagga/
http://bird.network.cz/
https://code.google.com/p/exabgp/


It may be a *lot* easier for you to just have your upstream ISP
announce your IP space, and route it to your dedicated server, unless
you need the ability to turn it off and on over time.

Cheers,
jof

On Wed, Jul 16, 2014 at 1:05 AM, Abuse Contact
stopabuseandrep...@gmail.com wrote:
 Hi,
 So I just purchased a Dedicated server from this one company and I have a
 /24 IPv4 block that I bought from a company on WebHostingTalk, but I am
 clueless on how to setup the /24 IPv4 block using the BGP Session. I want
 to set it up to run through their network as if it was one of their IPs,
 etc. I keep seeing things like iBGP (which I think means like a inner
 routing BGP) and eBGP (what I'm talking about??) but I have no idea how to
 set those up or which one I would need.

 Any help would be appreciated.


 Thanks!

Re: Best practice for BGP session/ full routes for customer

[Jeff Tantsura]

Mark,

BGP to RIB filtering (in any vendor implementation) is targeting RR which
is not in the forwarding path, so there¹s no forwarding towards any
destination filtered out from RIB.
Using it selectively on a forwarding node is error prone and in case of
incorrect configuration would result in blackholing.

Cheers,
Jeff




-Original Message-
From: Mark Tinka mark.ti...@seacom.mu
Organization: SEACOM
Reply-To: mark.ti...@seacom.mu
Date: Tuesday, July 8, 2014 at 1:56 PM
To: nanog@nanog.org nanog@nanog.org
Subject: Re: Best practice for BGP session/ full routes for customer

On Monday, July 07, 2014 08:33:12 PM Anurag Bhatia wrote:
 
 In this scenario what is best practice for giving full
 table to downstream?

In our case, we have three types of edge routers; Juniper
MX480 + Cisco ASR1006, and the Cisco ME3600X.

For the MX480 and ASR1006 have no problems supporting a full
table. So customers peer natively.

The ME3600X is a small switch, that supports only up to
24,000 IPv4 and 5,000 IPv6 FIB entries. However, Cisco have
a feature called BGP Selective Download:

   http://tinyurl.com/nodnmct

Using BGP-SD, we can send a full BGP table from our route
reflectors to our ME3600X switches, without worrying about
them entering the FIB, i.e., they are held only in memory.
The beauty - you can advertise these routes to customers
natively, without clunky eBGP Multi-Hop sessions running
rampant.

Of course, with BGP-SD, you still need a 0/0 + ::/0 route in
the FIB for traffic to flow from your customers upstream,
but that is fine as it's only two entries :-).

If your system supports a BGP-SD-type implementation, I'd
recommend it, provided you have sufficient control plane
memory.

Cheers,

Mark.

Re: Best practice for BGP session/ full routes for customer

[Mark Tinka]

On Monday, July 07, 2014 08:33:12 PM Anurag Bhatia wrote:
 
 In this scenario what is best practice for giving full
 table to downstream?

In our case, we have three types of edge routers; Juniper 
MX480 + Cisco ASR1006, and the Cisco ME3600X.

For the MX480 and ASR1006 have no problems supporting a full 
table. So customers peer natively.

The ME3600X is a small switch, that supports only up to 
24,000 IPv4 and 5,000 IPv6 FIB entries. However, Cisco have 
a feature called BGP Selective Download:

http://tinyurl.com/nodnmct

Using BGP-SD, we can send a full BGP table from our route 
reflectors to our ME3600X switches, without worrying about 
them entering the FIB, i.e., they are held only in memory. 
The beauty - you can advertise these routes to customers 
natively, without clunky eBGP Multi-Hop sessions running 
rampant.

Of course, with BGP-SD, you still need a 0/0 + ::/0 route in 
the FIB for traffic to flow from your customers upstream, 
but that is fine as it's only two entries :-).

If your system supports a BGP-SD-type implementation, I'd 
recommend it, provided you have sufficient control plane 
memory.

Cheers,

Mark.


signature.asc
Description: This is a digitally signed message part.

Re: Best practice for BGP session/ full routes for customer

[Mark Tinka]

On Monday, July 07, 2014 08:46:05 PM Jason Lixfeld wrote:

 1.  You already know that multihop is very ugly.  If it's
 for a one-off, it's probably fine.  But building a
 product around multi-hop wouldn't be my first choice.

We prefer Layer 2 bundling technologies like 802.1AX, POS 
bundles or ML-PPP. 

However, some customers just can't support this, but have 
multiple links to us and need load sharing. In this case, 
eBGP Mulit-Hop is a reasonable use-case.

Mark.


signature.asc
Description: This is a digitally signed message part.

Re: Best practice for BGP session/ full routes for customer

[Mark Tinka]

On Monday, July 07, 2014 08:46:05 PM Jason Lixfeld wrote:

 3.  If your network is MPLS enabled, you can do a routed
 pseudowire from a BGP speaking router with a full table
 to the access router (PE).  Other tunnelling
 technologies can probably do the same thing; GRE, L2TPv3
 and also a plain'ol VLAN can do it too, depending on
 your network topology.  Do some sort of OAM over top of
 either of those (if your platform supports it) and it
 looks just like a wire to the end customer.

Nasty, as I generally walk away from centralization.

However, if that's your only option...

Mark.


signature.asc
Description: This is a digitally signed message part.

Best practice for BGP session/ full routes for customer

[Anurag Bhatia]

Hello everyone!


I have quick question on how you provide full BGP table to downstream
customers?


Most of large networks have few border routers (Internet gateways) which
get full table feed and then they have Access routers on which customers
are terminated. Now I don't think it makes sense to push full routing table
on the access routers and simply their default points to border routers.


In this scenario what is best practice for giving full table to downstream?


   1. Having multi-hop BGP session with a loopback on border router for
   injecting full table in customer router and another BGP session with access
   router for receiving routes? (messy!)


   2. Injecting full table in just all access routers so that it can be
   provided whenever needed?

   3. Any other?




Thanks in advance!

-- 


Anurag Bhatia
anuragbhatia.com

Linkedin http://in.linkedin.com/in/anuragbhatia21 | Twitter
https://twitter.com/anurag_bhatia
Skype: anuragbhatia.com

PGP Key Fingerprint: 3115 677D 2E94 B696 651B 870C C06D D524 245E 58E2

Re: Best practice for BGP session/ full routes for customer

[Jason Lixfeld]

1.  You already know that multihop is very ugly.  If it's for a one-off, it's 
probably fine.  But building a product around multi-hop wouldn't be my first 
choice.

2.  Most of the router/switch vendors that can support a full table are pretty 
expensive, per port.  Your best bet here might be to look into some way of 
transparently dragging customer traffic from the PE to the BGP speaker, which 
leads me to:

3.  If your network is MPLS enabled, you can do a routed pseudowire from a BGP 
speaking router with a full table to the access router (PE).  Other tunnelling 
technologies can probably do the same thing; GRE, L2TPv3 and also a plain'ol 
VLAN can do it too, depending on your network topology.  Do some sort of OAM 
over top of either of those (if your platform supports it) and it looks just 
like a wire to the end customer.

On Jul 7, 2014, at 2:33 PM, Anurag Bhatia m...@anuragbhatia.com wrote:

 Hello everyone!
 
 
 I have quick question on how you provide full BGP table to downstream
 customers?
 
 
 Most of large networks have few border routers (Internet gateways) which
 get full table feed and then they have Access routers on which customers
 are terminated. Now I don't think it makes sense to push full routing table
 on the access routers and simply their default points to border routers.
 
 
 In this scenario what is best practice for giving full table to downstream?
 
 
   1. Having multi-hop BGP session with a loopback on border router for
   injecting full table in customer router and another BGP session with access
   router for receiving routes? (messy!)
 
 
   2. Injecting full table in just all access routers so that it can be
   provided whenever needed?
 
   3. Any other?
 
 
 
 
 Thanks in advance!
 
 -- 
 
 
 Anurag Bhatia
 anuragbhatia.com
 
 Linkedin http://in.linkedin.com/in/anuragbhatia21 | Twitter
 https://twitter.com/anurag_bhatia
 Skype: anuragbhatia.com
 
 PGP Key Fingerprint: 3115 677D 2E94 B696 651B 870C C06D D524 245E 58E2

Re: BGP Session Teardown due to AS_CONFED_SEQUENCE in AS4_PATH

[Eloy Paris]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hi Rob,

Eloy Paris from the Cisco PSIRT here. Please see below (inline) for
some comments regarding the issue you brought up in your email to the
cisco-nsp and nanog mailing lists this past Jan. 16th:

On Fri Jan 16 07:57:52 2009, Rob Shakir wrote:

 Strict RFC 4893 (4-byte ASN support) BGP4 implementations are
 vulnerable to a session reset by distant (not directly connected)
 ASes. This vulnerability is a feature of the standard, and unless
 immediate action is taken an increasingly significant number of
 networks will be open to attack. Accidental triggering of this
 vulnerability has already been seen in the wild, although the limited
 number of RFC 4893 deployments has limited its effect.

 Summary:
 It is possible to cause BGP sessions to remotely reset by injecting
 invalid data into the AS4_PATH attribute provided to store 4-byte ASN
 paths. Since AS4_PATH is an optional transitive attribute, the invalid
 data will be transited through many intermediate ASes which will not
 examine the content. To be vulnerable, an operator does not have to
 be actively using 4-byte AS support. This problem was first reported
 by Andy Davidson on NANOG in December 2008 [0], furthermore we have
 been able to demonstrate that a device running Cisco IOS release
 12.0(32)S12 behaves as per this description.

 Details:

[...]

Cisco Bug CSCsx10140 was filed for Cisco IOS. Cisco IOS behaves exactly
as you described - upon receipt of AS_CONFED_SEQUENCE data in the
AS4_PATH attribute IOS will send a NOTIFICATION message to the peer,
which causes a termination of the BGP session. After the fix for this
bug IOS will ignore AS_CONFED_SEQUENCE data in the AS4_PATH attribute of
received BGP UPDATE messages and continue to process the UPDATE. This is
the new behavior that the revised RFC 4893 will require.

CSCsx18598 was filed for Cisco IOS XR. Cisco IOS XR doesn't reset the
session but accepts and forwards the invalid AS4_PATH data, so this bug
was filed to change this behavior.

CSCsx23179 was filed for Cisco NX-OS (for the Nexus switches.) Cisco
NX-OS behaves like IOS (it will reset the BGP session when it sees
AS_CONFED_SEQUENCE data in the AS4_PATH attribute), and this bug was
filed to change this and have the BGP implementation in Cisco NX-OS
follow the revised RFC 4893.

The Release Notes for each bug may have some additional
information. These are available via the Bug Toolkit on cisco.com
(http://tools.cisco.com/Support/BugToolKit)

To date, the only version of Cisco IOS that supports 4-byte AS numbers
is 12.0(32)S12, released in late December. A fix to the 12.0(32)Sxx
branch has been committed so the next 12.0(32)S-based release will have
the fix. 12.0(32)SY8 is coming out soon, and it will also have support
for 4-byte AS numbers, as well as the fix for the problem.

Thanks for bringing attention to this issue and for working with us,
specifically with the Cisco TAC, to get to the bottom of it and test
the proposed fix.

Cheers,

- -- 

Eloy Paris
Cisco PSIRT
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkmR9OoACgkQagjTfAtNY9jv5ACgg3fKuuWKv38h8F8d8QHBML5J
CTsAnAnGMB/fBIQhk5z4E922JlhHVU5A
=FSOP
-END PGP SIGNATURE-

Re: BGP Session Teardown due to AS_CONFED_SEQUENCE in AS4_PATH

[Rob Shakir]

Hi,

Further to the initial research sent to NANOG, after discussions with a number
of operators, we have compiled some recommendations on the handling of invalid
AS4_PATH attributes. 

Any feedback on these recommendations is appreciated:

As discussed on the IETF IDR list last month, there are concerns relating to the
treatment of AS_CONFED_SET/SEQUENCE in AS4_PATH as described in RFC4893 [0].
Since the last post to that thread the situation has been made more urgent with
the release of Cisco IOS 12.0(32)S12, which responds to malformed AS4_PATH
attributes by sending a NOTIFICATION to the neighbour, and tearing down the BGP
adjacency. This behaviour seems to be required by RFC4721 section 6.3, as there
is no alternative error handling defined in RFC4893. As posted last Friday [1],
and discussed on the IDR list, this strict implementation introduces a new
attack vector by which a BGP session can be torn down due to a an attribute
populated by a distant BGP neighbour. These malformed attributes have already
been seen in the wild as a result of a error in Juniper's implementation of
RFC4893. 

Following discussions with a number of operators, we have attempted to generate
some recommendations relating to the behaviour that would be operationally most
useful when treating the invalid data in the AS4_PATH optional transitive
attribute.

There are two cases to consider when an invalid AS4_PATH is received:
   (1) A path to the prefix is not already known from that neighbour. 
   (2) A path to the prefix has already been learnt from that neighbour; 
   
In case (1) we recommend that the BGP speaker should discard the UPDATE and log
the fact. The log entry should include the received AS_PATH and
AS4_PATH to aid in debugging.

In case (2) we recommend that the BGP speaker should treat the UPDATE as a
withdrawal of existing path to the prefix. As per case (1) a log entry should be
raised to indicate that this has occurred.

It is quite possible that in both cases this behaviour may result in the BGP
speaker no longer having a valid path to the destination. We foresee that this
lack of a prefix in a BGP speaker's routing table may cause some operational
load initially, however, we feel that this is acceptable, considering the
alternate behaviours.

Should a prefix be injected into the global table with an invalid AS4_PATH, and
should the newly advertised (invalid) path be selected by all upstreams
available to a given ASN then this ASN will lose reachability to the prefix.
Whilst this can be abused we do not see this as more serious than the existing
possibility of malicious injection and blackholing of a prefix by a 3rd party.
As long as the rejection of paths due to invalid AS4_PATHs is clearly reported
to the administrator the source of the problem can be clearly identified. 

We consider that attempting to extract a valid AS4 or AS_PATH from the invalid
UPDATE is a mistake since this allows the propagation of invalid BGP data. In
addition, incorrect implementation of this comparatively complex mechanism by a
vendor may result in loops. By explicitly not installing prefixes with invalid
AS_PATH or AS4_PATH into the routing table, the possibility of loops caused by
these invalid paths is avoided.

The defined behaviour in RFC4893 and RFC4271 has significantly harmful effects
and it seems only by virtue of the fact that the implementations of many vendors
do not strictly comply with the RFCs that this problem has not had the same
impact for every vendor. At the current time, however, one cannot deploy a
4-byte capable Cisco IOS device, or an OpenBGP (current stable release) router
into the global table, without risking teardown of a every session via which a
global table is learnt.

Further discussion of this issue would be much appreciated, as a common and
consistent approach to rectifying the problem will benefit network operators far
more than individual vendor implementing their own solution. Should a consensus
be reached an update to the RFC is required in order to ensure that future
implementations do not exhibit this harmful behaviour.

Kind regards,
Andy Davidson (NetSumo), andy.david...@netsumo.com
Jonathan Oddy (HostWay), jonathan.o...@hostway.co.uk 
Rob Shakir (GX Networks), r...@eng.gxn.net

[0]: http://www.ietf.org/mail-archive/web/idr/current/msg03368.html
[1]: http://www.merit.edu/mail.archives/nanog/msg14345.html

Many thanks to David Freedman (Claranet) for assistance in developing the
recommendations in this document. 

Re: BGP Session Teardown due to AS_CONFED_SEQUENCE in AS4_PATH

[Rob Shakir]

On Mon, Jan 19, 2009 at 03:58:17PM +, Jonathan Oddy wrote:
 As mentioned in both [1] and [2] this is especially critical as at
 present Cisco IOS will tear down sessions when receiving an AS4_PATH
 containing an AS_CONFED_SET/SEQUENCE.

Hi,

Whilst this is behaviour is RFC compliant, as previously described, it is
sub-optimal operationally. I have raised this issue with Cisco TAC, and
CSCsx10140 has been opened to track this problem.

I would encourage those network operators who may be planning to deploy
AS4-support and use Cisco equipment to open a SR with Cisco, tracking this bug,
to try to ensure that both the IOS behaviour, and RFC are changed.

Many thanks,
Rob

--
Rob Shakir  r...@eng.gxn.net
Network Development EngineerGX Networks/Vialtus Solutions
ddi: +44208 587 6077mob: +44797 155 4098
pgp: 0xc07e6deb nic-hdl: RJS-RIPE

This email is subject to: http//www.vialtus.com/disclaimer.html

Re: BGP Session Teardown due to AS_CONFED_SEQUENCE in AS4_PATH

[Mikael Abrahamsson]

have been able to demonstrate that a device running Cisco IOS release 
12.0(32)S12 behaves as per this description.


Has anyone looked into IOS XR behaviour, if it's the same as 12.0(32)S12?

--
Mikael Abrahamssonemail: swm...@swm.pp.se

Re: BGP Session Teardown due to AS_CONFED_SEQUENCE in AS4_PATH

[Rob Shakir]

On Tue, Jan 20, 2009 at 01:01:03PM +0100, Mikael Abrahamsson wrote:
 have been able to demonstrate that a device running Cisco IOS release  
 12.0(32)S12 behaves as per this description.

 Has anyone looked into IOS XR behaviour, if it's the same as 12.0(32)S12?

Mikael,

Pierfrancesco Caci was kind enough to provide me with some output from an XR
box. It appears that IOS XR behaves in the same manner as Force10, and JunOS,
whereby the session is not torn down, and the path is installed, albeit with a
munged AS_PATH. The output below is for the prefix from 196629 which we
originally analysed:

Path #1: Received by speaker 0
   3356 35320 3.21 23456

Given that XR box is an AS4-speaker, one would not expect to see 23456 in the
AS_PATH, the prescence of this AS seems to be a symptom of the bug (and again
occurs on Juniper/Force10).

Kind regards,
Rob

--
Rob Shakir  r...@eng.gxn.net
Network Development EngineerGX Networks/Vialtus Solutions
ddi: +44208 587 6077mob: +44797 155 4098
pgp: 0xc07e6deb nic-hdl: RJS-RIPE

This email is subject to: http//www.vialtus.com/disclaimer.html

Re: BGP Session Teardown due to AS_CONFED_SEQUENCE in AS4_PATH

[Jonathan Oddy]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

I was indeed aware of the OpenBGPD discussion and patch, and I'm glad it
has been worked around in what I believe to be a sensible way, however I
disagree with the comment in the code that states that the standard does
not specify how to handle this situation. I believe that RFC 4271* and
4893** currently require a teardown of the session in this case and
indeed the person who committed the fix to OpenBGPD seems to agree in
their commit message (although still kept the code comment.)

This really needs to lead to more debate on the correct way to handle
this situation and an updated standard, before implementers decide to
fix this in their own different ways. The discussion on the IETF IDR
mailing list[1] was promising, but looks to have died off before
reaching a conclusion. There was mention of stripping the
AS_CONFED_SET/SEQUENCE from the AS4_PATH, however several people pointed
out this approach is not without issues. Dropping the UPDATE entirely is
also discussed, but can lead to loops. Personally I favour treating
receipt of an UPDATE with a malformed attribute as a withdrawal,
although this was only briefly mentioned and its implications were never
discussed in any detail...

The reason for us publishing this report was to alert people to the fact
that this problem is definitely in the wild, there are broken AS4_PATHs
being announced, and, critically, Cisco's IOS releases to support
RFC4893 are vulnerable to having their sessions reset as a result of
their standards compliant implementation. At present our advice has to
be that upgrading to an IOS version with RFC4893 support is extremely
dangerous, and should be avoided at all costs (where this leaves Cisco
shops who have been given 32 bit AS numbers by their RIR is somewhat
unpleasant to consider.) It must be emphasized that this is due to no
fault on Cisco's part, but rather a feature of the standard that must be
corrected as soon as possible.

[1] http://www.ietf.org/mail-archive/web/idr/current/msg03368.html

* From RFC4271:

Section 6:
~   When any of the conditions described here are detected, a
~   NOTIFICATION message, with the indicated Error Code, Error Subcode,
~   and Data fields, is sent, and the BGP connection is closed (unless it
~   is explicitly stated that no NOTIFICATION message is to be sent and
~   the BGP connection is not to be closed).  If no Error Subcode is
~   specified, then a zero MUST be used.

Section 6.3:
~   If an optional attribute is recognized, then the value of this
~   attribute MUST be checked.  If an error is detected, the attribute
~   MUST be discarded, and the Error Subcode MUST be set to Optional
~   Attribute Error.  The Data field MUST contain the attribute (type,
~   length, and value).

** From RFC4893:

Section 3:
~   To prevent the possible propagation of confederation path segments
~   outside of a confederation, the path segment types AS_CONFED_SEQUENCE
~   and AS_CONFED_SET [RFC3065] are declared invalid for the AS4_PATH
~   attribute.

- --
Jonathan Oddy
Hostway UK


-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFJdFjqWGqmTqbbikoRAmNuAJoCPqNUTYOW9lFUQXFfLAFgA/bIcQCeODVz
Wo1MjYgtdDw1SmWhmHdzcWM=
=AGvq
-END PGP SIGNATURE-

Re: BGP Session Teardown due to AS_CONFED_SEQUENCE in AS4_PATH

[Jack Bates]

Jonathan Oddy wrote:

dangerous, and should be avoided at all costs (where this leaves Cisco
shops who have been given 32 bit AS numbers by their RIR is somewhat
unpleasant to consider.) It must be emphasized that this is due to no


Suddenly makes one wonder if it would have been easier to take back any 
ASN's which weren't justified versus butchering the protocol.



Jack

Re: BGP Session Teardown due to AS_CONFED_SEQUENCE in AS4_PATH

[Jonathan Oddy]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

After some lab work we have established that the source of the invalid
AS4_PATHs discussed in [1] is likely a non compliant implementation of
RFC4893 (AS4) in some versions of Juniper JunOS.

We have observed the following behaviour with both JunOS 9.3R1.7 and
9.1R2.10, and suspect it may be present in all other JunOS versions
since they introduced AS4 support in 9.1R1. Unfortunately we have
limited resources so have not been able to test with other versions.

When a mix of pre and post 9.1R1 JunOS devices are deployed within a
network utilising confederations the AS4_PATH (if present) is used by
the AS4 supporting devices to hold an AS_CONFED_SET/SEQUENCE. This
behaviour is explicitly forbidden by RFC4893 [3]. If the egress router
from the AS utilising confederations is not AS4-aware the confederation
information is never removed from the AS4_PATH, and is passed onto the
neighbouring networks with the repercussions discussed in [1].

As mentioned in both [1] and [2] this is especially critical as at
present Cisco IOS will tear down sessions when receiving an AS4_PATH
containing an AS_CONFED_SET/SEQUENCE.


Lab setup:

AS1.0 - obgp1 (OpenBGPD)
AS64512 {
~AS65001 - juniper1 (JunOS 9.1 or 9.3) (32 bit ASN support)
~AS65002 - juniper2 (JunOS 8.4) (no 32 bit ASN support)
}
AS64513 - obgp2 (OpenBGPD)

Where AS1.0 is an AS with a 32bit AS number, AS64512 is a Juniper
network using confederations and with mixed AS4 support, and AS64513 is
another network (doesn't matter what it supports.)

On announcing a prefix from obgp1 we observe the following in the UPDATE
from juniper1 to juniper2:
AS_PATH: (65001) 23456
AS4_PATH: (65001) 65536

And at obgp2:
AS_PATH: 64512 23456
AS4_PATH: (65001) 65536

This shows juniper1, which is AS4-aware, adding an AS_CONFED_SET to both
the AS_PATH and AS4_PATH before announcing the prefix to juniper2. As
juniper2 is not AS4-aware it does not strip the AS_CONFED_SET from the
AS4_PATH before announcing it to obgp2, resulting in an invalid AS4_PATH
attribute in the UPDATE to obgp2.

Conclusions:
~  * If you use JunOS and make use of confederations you should ensure
that your entire network either supports AS4 (9.1R1 or later) or doesn't
(pre 9.1.)
~  * While the Juniper implementation is clearly non-compliant with the
standard, and should be corrected, the number of versions in which this
bug is probably present means that these versions will never be
completely eliminated from use.
~  * The flaw in the standard can still be misused maliciously.

We do not see that going forward it will be possible to completely
eliminate the possibility of an AS_CONFED_SET appearing in an AS4_PATH.

We believe that this problem requires a consistent response from the
vendors, and that to facilitate such a response the standard must be
revised. Even if vendors do implement their own workarounds the standard
needs to be revised to ensure that future implementers don't fall into
this trap.

Regards,
~Andy Davidson, NetSumo (andy.david...@netsumo.com),
~Jonathan Oddy, Hostway UK (jonathan.o...@hostway.co.uk),
~Rob Shakir, GX Networks (r...@eng.gxn.net)

[1] http://www.merit.edu/mail.archives/nanog/msg14345.html
[2] http://www.merit.edu/mail.archives/nanog/msg14388.html
[3] From RFC4893 section 3:
~  To prevent the possible propagation of confederation path segments
~   outside of a confederation, the path segment types AS_CONFED_SEQUENCE
~   and AS_CONFED_SET [RFC3065] are declared invalid for the AS4_PATH
~   attribute.


Thanks to Dan Goscomb (Goscomb Tech) for loan of a J2320 for the lab.
Thanks to Will Hargrave (LONAP) for assistance with this document.

- --
Jonathan Oddy
Hostway UK


-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFJdKMZWGqmTqbbikoRAuDFAJ9WTlvAE/5KogtgShiBmXJo238kHQCfdSjG
s3p8pIfX7JmPKC84/yxE67w=
=53KL
-END PGP SIGNATURE-

BGP Session Teardown due to AS_CONFED_SEQUENCE in AS4_PATH

[Rob Shakir]

Strict RFC 4893 (4-byte ASN support) BGP4 implementations are vulnerable to a
session reset by distant (not directly connected) ASes. This vulnerability is a
feature of the standard, and unless immediate action is taken an increasingly
significant number of networks will be open to attack. Accidental triggering of
this vulnerability has already been seen in the wild, although the limited
number of RFC 4893 deployments has limited its effect.  

Summary:
It is possible to cause BGP sessions to remotely reset by injecting invalid data
into the AS4_PATH attribute provided to store 4-byte ASN paths. Since AS4_PATH
is an optional transitive attribute, the invalid data will be transited through
many intermediate ASes which will not examine the content. To be vulnerable, an
operator does not have to be actively using 4-byte AS support. This problem was
first reported by Andy Davidson on NANOG in December 2008 [0], furthermore we
have been able to demonstrate that a device running Cisco IOS release
12.0(32)S12 behaves as per this description.

Details:

When a prefix is learnt from a BGP neighbour that does not support 4-byte ASNs,
the AS4_PATH attribute is retained, and appended to UPDATE messages sent to
other neighbours [1, 3]. RFC4893 specifies that AS_CONFED_SEQUENCE and
AS_CONFED_SET are invalid in an AS4_PATH, the intention of which is to ensure
that an AS with a mix of AS4-aware BGP speakers, and AS4-unaware BGP speakers
does not propagate confederation AS paths outside of the confederation [1, 3].
Upon receiving an invalid BGP UPDATE message, a BGP speaker must send a
NOTIFICATION message [2, 6.3], after a NOTIFICATION message, the BGP connection
is closed [2, 4.5].

Analysis of the Reported Path:   

On 10th December 2008, a BGP update was propagated with illegal/invalid
confederation attributes in the AS4_PATH.  When this update was received by AS4
aware BGP speakers, the RFCs described above were interpreted literally and the
session was torn down. Because the illegal attributes were learned on a transit
session, an affected network can have global reachability impaired.

Please note that the analysis of this path describes what we expect to have
happened in this case, it has not been confirmed by any of the ASNs involved.

91.207.218.0/23 
Path Attributes - Origin: Incomplete 
Flags: 0x40 (Well-known, Transitive, Complete) 
Origin: Incomplete (2) 
AS_PATH: xx xx 35320 23456 (13 bytes) 
AS4_PATH: (65044 65057) 196629 (7 bytes) 

In this data, the AS_PATH indicates that a prefix is announced by an AS4 speaker
(as indicated by AS23456) and propagated through by AS35320. The AS4_PATH data
shows that the AS4 originator is AS196629, the rest of this path is an
AS_CONFED_SEQUENCE [3, 5]. It would appear that in this case, AS196629 peers
with AS35320, which is AS4-aware on this border. The prefix is then propagated
through AS35320, with the AS4 aware routers appending their ASN to the
AS_CONFED_SEQUENCE. This is in contravention of RFC 4893 [1, 3]. The border
which announces this route to AS35320's upstream does not appear to be
AS4-aware. During normal announcements, the BGP speaker on a border with an
upstream ASN that is not part of the confederation will remove the left-most
AS_CONFED_SETs or AS_CONFED_SEQUENCEs that exist in the AS_PATH [3, 6.1] and
replace them with the confederation identifier. However, due to the fact that
both AS_CONFED_SET and AS_CONFED_SEQUENCE are invalid in an AS4_PATH, then no
such action is taken on the border between an AS4 aware AS, and a non-AS4 aware
AS. In addition, since the AS35320 border is not AS4 aware, then it does not
update the AS4_PATH.

This malformed UPDATE is then sent to AS35320's upstream, if there are no
AS4-aware routers in the path between the AS35320 border, and an AS receiving
this update, the AS4_PATH will not have been analysed. The first AS4-aware
router to receive this update will reset the session towards the neighbour from
whom it receives the update. 

The border which announces this route to AS35320's upstream does not appear to
be AS4-aware; If it were a strict AS4 implementation it would reset the BGP
session due to the malformed AS4_PATH, and a broken implementation that treats
AS4_PATH as an equivalent of the AS_PATH would sanitise the AS4_PATH. This
allows the AS4_PATH containing an AS_CONFED_SET to be passed to neighbouring
networks.

This escape of an AS_CONFED_SET from a network with only partial AS4 support is
exactly the situation that RFC 4893 attempts to avoid by forbidding the presence
of an AS_CONFED_SET in the AS4_PATH. In the ideal world the neighbouring network
receiving an UPDATE containing this obviously malformed AS4_PATH would reset the
session, preventing further propagation and isolating the broken network.

Unfortunately the vast majority of networks do not support AS4 so pass on this
malformed AS4_PATH to their neighbours. The first AS4-aware router to receive
this update