question about bgp incremental updates
Hi everyone, I have a question about bgp updates: BGP uses an incremental update strategy to conserve bandwidth and processing power. That is, after initial exchange of complete routing information, a pair of BGP routers exchanges only the changes to that information. ( from RFC4274) According to this principle, if an AS suddenly announced a lot of updates (as below), can it be regarded as an anomaly such as BGP session reset? I wish to know if there are other reasons can result in this anomaly. Thanks! BGP4MP|04/23/14 13:05:12|A|216.218.252.164|6939|218.189.24.0/24|6939 15412 9304|IGP BGP4MP|04/23/14 13:05:12|A|216.218.252.164|6939|218.189.28.0/24|6939 15412 9304|IGP BGP4MP|04/23/14 13:05:12|A|216.218.252.164|6939|218.189.16.0/24|6939 15412 9304|IGP BGP4MP|04/23/14 13:05:12|A|216.218.252.164|6939|218.189.20.0/24|6939 15412 9304|IGP BGP4MP|04/23/14 13:05:12|A|216.218.252.164|6939|218.189.16.0/20|6939 15412 9304|IGP BGP4MP|04/23/14 13:05:12|A|216.218.252.164|6939|218.189.12.0/24|6939 15412 9304|IGP BGP4MP|04/23/14 13:05:12|A|216.218.252.164|6939|218.189.12.0/22|6939 15412 9304|IGP BGP4MP|04/23/14 13:05:12|A|216.218.252.164|6939|218.189.204.0/23|6939 4436 25973 9304|IGP BGP4MP|04/23/14 13:05:12|A|216.218.252.164|6939|218.189.208.0/21|6939 4436 25973 9304|IGP BGP4MP|04/23/14 13:05:12|A|216.218.252.164|6939|218.189.8.0/24|6939 4436 25973 9304|IGP BGP4MP|04/23/14 13:05:12|A|216.218.252.164|6939|202.1.32.0/20|6939 15412 9304|IGP BGP4MP|04/23/14 13:05:12|A|216.218.252.164|6939|218.189.204.0/23|6939 9304|IGP BGP4MP|04/23/14 13:05:12|A|216.218.252.164|6939|218.189.208.0/21|6939 9304|IGP BGP4MP|04/23/14 13:05:12|A|216.218.252.164|6939|218.189.24.0/24|6939 9304|IGP BGP4MP|04/23/14 13:05:12|A|216.218.252.164|6939|218.189.28.0/24|6939 9304|IGP BGP4MP|04/23/14 13:05:12|A|216.218.252.164|6939|218.189.16.0/24|6939 9304|IGP BGP4MP|04/23/14 13:05:12|A|216.218.252.164|6939|218.189.20.0/24|6939 9304|IGP BGP4MP|04/23/14 13:05:12|A|216.218.252.164|6939|218.189.16.0/20|6939 9304|IGP BGP4MP|04/23/14 13:05:12|A|216.218.252.164|6939|218.189.12.0/24|6939 9304|IGP BGP4MP|04/23/14 13:05:12|A|216.218.252.164|6939|218.189.12.0/22|6939 9304|IGP BGP4MP|04/23/14 13:05:12|A|216.218.252.164|6939|218.189.8.0/24|6939 9304|IGP BGP4MP|04/23/14 13:05:12|A|216.218.252.164|6939|202.1.32.0/20|6939 9304|IGP BGP4MP|04/23/14 13:05:12|A|216.218.252.164|6939|114.134.83.0/24|6939 3549 9304|IGP BGP4MP|04/23/14 13:05:12|A|216.218.252.164|6939|203.90.243.0/24|6939 15412 9304|IGP BGP4MP|04/23/14 13:05:12|A|216.218.252.164|6939|203.90.251.0/24|6939 15412 9304|IGP BGP4MP|04/23/14 13:05:12|A|216.218.252.164|6939|118.143.224.0/20|6939 15412 9304|IGP BGP4MP|04/23/14 13:05:12|A|216.218.252.164|6939|118.143.232.0/24|6939 15412 9304|IGP BGP4MP|04/23/14 13:05:12|A|216.218.252.164|6939|202.46.57.0/24|6939 15412 9304|IGP BGP4MP|04/23/14 13:05:12|A|216.218.252.164|6939|202.46.53.0/24|6939 15412 9304|IGP BGP4MP|04/23/14 13:05:12|A|216.218.252.164|6939|202.46.61.0/24|6939 15412 9304|IGP BGP4MP|04/23/14 13:05:12|A|216.218.252.164|6939|202.46.49.0/24|6939 15412 9304|IGP BGP4MP|04/23/14 13:05:12|A|216.218.252.164|6939|103.17.240.0/22|6939 15412 9304|IGP BGP4MP|04/23/14 13:05:12|A|216.218.252.164|6939|103.17.240.0/24|6939 15412 9304|IGP BGP4MP|04/23/14 13:05:12|A|216.218.252.164|6939|112.73.6.0/23|6939 15412 9304|IGP BGP4MP|04/23/14 13:05:13|A|216.218.252.164|6939|118.194.231.0/24|6939 3549 9304|IGP BGP4MP|04/23/14 13:05:13|A|216.218.252.164|6939|175.100.198.0/24|6939 3549 9304|IGP BGP4MP|04/23/14 13:05:13|A|216.218.252.164|6939|175.100.206.0/24|6939 15412 9304|IGP BGP4MP|04/23/14 13:05:13|A|216.218.252.164|6939|210.0.209.0/24|6939 4436 25973 9304|IGP BGP4MP|04/23/14 13:05:13|A|216.218.252.164|6939|210.3.0.0/22|6939 4436 25973 9304|IGP BGP4MP|04/23/14 13:05:13|A|216.218.252.164|6939|210.3.4.0/23|6939 4436 25973 9304|IGP BGP4MP|04/23/14 13:05:13|A|216.218.252.164|6939|103.227.207.0/24|6939 1299 3257 9304|IGP BGP4MP|04/23/14 13:05:13|A|216.218.252.164|6939|114.134.83.0/24|6939 9304|IGP BGP4MP|04/23/14 13:05:13|A|216.218.252.164|6939|203.90.243.0/24|6939 9304|IGP BGP4MP|04/23/14 13:05:13|A|216.218.252.164|6939|203.90.251.0/24|6939 9304|IGP BGP4MP|04/23/14 13:05:13|A|216.218.252.164|6939|118.143.224.0/20|6939 9304|IGP BGP4MP|04/23/14 13:05:13|A|216.218.252.164|6939|118.143.232.0/24|6939 9304|IGP BGP4MP|04/23/14 13:05:13|A|216.218.252.164|6939|202.46.57.0/24|6939 9304|IGP BGP4MP|04/23/14 13:05:13|A|216.218.252.164|6939|202.46.53.0/24|6939 9304|IGP BGP4MP|04/23/14 13:05:13|A|216.218.252.164|6939|202.46.61.0/24|6939 9304|IGP BGP4MP|04/23/14 13:05:13|A|216.218.252.164|6939|202.46.49.0/24|6939 9304|IGP BGP4MP|04/23/14 13:05:13|A|216.218.252.164|6939|103.17.240.0/22|6939 9304|IGP BGP4MP|04/23/14 13:05:13|A|216.218.252.164|6939|103.17.240.0/24|6939 9304|IGP BGP4MP|04/23/14 13:05:13|A|216.218.252.164|6939|112.73.6.0/23|6939 9304|IGP BGP4MP|04/23/14 13:05:13|A|216.218.252.164|6939|118.194.231.0/24|6939 9304|IGP BGP4MP|04/23/14 13:05:13|A|216.218.252.164|6939|175.100.206.0/24|6939 9304|IGP BGP4MP|04/23/14 13:05:13|A|216.218.252.164|6939|210.0.209.0/24|6939 9304|IGP -- Song Room 4-204, FIT Building, Network Security, Department of Electronic Engineering, Tsinghua University, Beijing 100084, China Tel:( +86) 010-62446440 E-mail: refresh.lsong@gmail.com
On Aug 4, 2014, at 9:29 AM, Song Li <refresh.lsong@gmail.com> wrote:
According to this principle, if an AS suddenly announced a lot of updates (as below), can it be regarded as an anomaly such as BGP session reset?
Yes. It's wise to monitor BGP announcements received from peers, and to investigate when large numbers of announcements or withdrawals take place simultaneously.
I wish to know if there are other reasons can result in this anomaly.
Human error, deliberate disaggregation for traffic-engineering purposes, accidental or deliberate hijacking, turning up new peering links, et. al. can result in sudden flurries of route announcements/withdrawals. ---------------------------------------------------------------------- Roland Dobbins <rdobbins@arbor.net> // <http://www.arbornetworks.com> Equo ne credite, Teucri. -- Laocoön
participants (2)
-
arbor.net
-
Song Li