On Wed, Feb 04, 2004 at 01:48:18AM -0800, bill wrote:
upstream routing for the new and old prefixes for b.root-servers.net is asymetric. inbound is generally weighted to arrive through Level3, while the outbound is generally weighted to depart through verio.
due to exceptional work from Level3 and Los Nettos, they were able to identify that Verio filters using "golden" prefixes...
"I believe I have found the culprit. I think that Verio was filtering the b root traffic out because it was not a blessed source address."
and
"I have a strange feeling that Verio (the return path for 209.244/14 according to Walt, and probably for lots of other blocks) is filtering source addresses"
Yes, We do filter our customers per their registered prefixes for spoofed packets (rfc2267). % whois -h rr.verio.net AS-LOSNETTOS as-set: AS-LOSNETTOS descr: Los Nettos and ASs for whom we provide transit members: AS226, AS31, AS5655, AS5726, AS7397, AS6289, AS47, AS3832, AS5736, AS20144, AS3659, AS26711, AS127, AS4 admin-c: wp8-arin tech-c: wp8-arin notify: Prue@usc.edu notify: SandyG@usc.edu mnt-by: MAINT-AS226 changed: sandyg@usc.edu 20031118 source: VERIO % whois -h rr.verio.net AS4 aut-num: AS4 as-name: ISI descr: USC/Information Sciences Institute admin-c: wp8-arin tech-c: wp8-arin import: from AS226 accept any export: to AS-LOSNETTOS announce AS4 notify: prue@usc.edu notify: SandyG@usc.edu mnt-by: MAINT-AS226 changed: Prue@usc.edu 20040203 source: VERIO
Verio was asked to update its "blessed" or "golden" prefix list so that packets from "B" would reach thier intended destinations. Third party reports indicate that this "correction" has been applied within Verio.
Yes, once the prefix properly appears in the routing registry, these packets will be allowed to pass.
I would appreciate private replies on the efficacy of this ACL modification.
If you're a Verio customer and seeing similar problems with some of the prefixes you own, check that they are properly registered. If you're a bgp customer, you can get copies of your acls automatically e-mailed to you whenever they change (including the change and the full acl). You will want to make sure that the route is registered if you intend to source packets from it (you do not necessarily need to announce it). - Jared -- Jared Mauch | pgp key available via finger from jared@puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine.