Hi list. I'd like to setup my default routes to the Interwebz to be conditional on reachability of something on the Interwebz. I got two different ISPs (no BGP). I'm trying to figure out what would be a reliable object to track? Meaning, it's probably not reasonable to track my ISPs default gateway, since it does not protect me from someone on the ISP side screwing up. I'm thinking of tracking something like google.com, but am not sure if after I resolve google.com for the first time, it will be simply tracking an arbitrary server (or some load balancer). I wanted to see what experienced folks think is a reliable tracking target. Any comments are much appreciated. thank you, ----- Andrey Gordon [andrey.gordon@gmail.com]
On 01/02/10 10:13 -0500, Andrey Gordon wrote:
Hi list.
I'd like to setup my default routes to the Interwebz to be conditional on reachability of something on the Interwebz. I got two different ISPs (no BGP). I'm trying to figure out what would be a reliable object to track? Meaning, it's probably not reasonable to track my ISPs default gateway, since it does not protect me from someone on the ISP side screwing up. I'm thinking of tracking something like google.com, but am not sure if after I resolve google.com for the first time, it will be simply tracking an arbitrary server (or some load balancer).
I wanted to see what experienced folks think is a reliable tracking target. Any comments are much appreciated.
Publicly advertised DNS server IPs should be good, such as google's 8.8.8.8 and 8.8.4.4. -- Dan White
I'd rather send him to something more open like kernel.org; anything but Google's DNS. Google's DNS is a little too nefarious for my taste. On 2/1/2010 10:31 AM, Dan White wrote:
On 01/02/10 10:13 -0500, Andrey Gordon wrote:
Hi list.
I'd like to setup my default routes to the Interwebz to be conditional on reachability of something on the Interwebz. I got two different ISPs (no BGP). I'm trying to figure out what would be a reliable object to track? Meaning, it's probably not reasonable to track my ISPs default gateway, since it does not protect me from someone on the ISP side screwing up. I'm thinking of tracking something like google.com, but am not sure if after I resolve google.com for the first time, it will be simply tracking an arbitrary server (or some load balancer).
I wanted to see what experienced folks think is a reliable tracking target. Any comments are much appreciated.
Publicly advertised DNS server IPs should be good, such as google's 8.8.8.8 and 8.8.4.4.
-----Original Message----- From: Curtis Maurand [mailto:cmaurand@xyonet.com] Sent: Monday, February 01, 2010 10:47 AM To: nanog@nanog.org Subject: Re: Default route with object tracking
I'd rather send him to something more open like kernel.org; anything but Google's DNS. Google's DNS is a little too nefarious for my taste.
Level 3's 4.2.2.1 and 4.2.2.2 are excellent options for tracking. Stefan Fouant, CISSP, JNCIE-M/T www.shortestpathfirst.net GPG Key ID: 0xB5E3803D
Would it be more reasonable to track a root DNS server that is available via anycast?? Something like 192.33.4.12? Not sure how accurate this is: http://en.wikipedia.org/wiki/Root_nameserver ----- Andrey Gordon [andrey.gordon@gmail.com]
On Mon, Feb 1, 2010 at 10:47 AM, Curtis Maurand <cmaurand@xyonet.com> wrote:
I'd rather send him to something more open like kernel.org; anything but Google's DNS. Google's DNS is a little too nefarious for my taste.
<tinfoil hat off> nefarious? as a route object to track for selection of a default route? really? </tinfoil hat off> I think watching something 'very stable' like.... 198.6.0.0/16 may be useful, but in the end "pick some route that's long lived and not in just your upstream's control', that you see via both upstreams." seems like the best option. -chris
On Feb 1, 2010, at 11:26 AM, Christopher Morrow wrote:
On Mon, Feb 1, 2010 at 10:47 AM, Curtis Maurand <cmaurand@xyonet.com> wrote:
I'd rather send him to something more open like kernel.org; anything but Google's DNS. Google's DNS is a little too nefarious for my taste.
<tinfoil hat off> nefarious? as a route object to track for selection of a default route? really? </tinfoil hat off>
I think watching something 'very stable' like.... 198.6.0.0/16 may be useful, but in the end "pick some route that's long lived and not in just your upstream's control', that you see via both upstreams." seems like the best option.
I think that a better word than "nefarious" would be "smart" -- Google's DNS may be doing its own optimizations which may conflict with your "route that's long lived" constraint. --Steve Bellovin, http://www.cs.columbia.edu/~smb
I think that "good" is all relative to what you are most likely to be able to reach from wherever your location happens to be! Google's... Level 3's..... Root DNS servers (anycast).... Pick something. Scott Curtis Maurand wrote:
I'd rather send him to something more open like kernel.org; anything but Google's DNS. Google's DNS is a little too nefarious for my taste.
On 2/1/2010 10:31 AM, Dan White wrote:
On 01/02/10 10:13 -0500, Andrey Gordon wrote:
Hi list.
I'd like to setup my default routes to the Interwebz to be conditional on reachability of something on the Interwebz. I got two different ISPs (no BGP). I'm trying to figure out what would be a reliable object to track? Meaning, it's probably not reasonable to track my ISPs default gateway, since it does not protect me from someone on the ISP side screwing up. I'm thinking of tracking something like google.com, but am not sure if after I resolve google.com for the first time, it will be simply tracking an arbitrary server (or some load balancer).
I wanted to see what experienced folks think is a reliable tracking target. Any comments are much appreciated.
Publicly advertised DNS server IPs should be good, such as google's 8.8.8.8 and 8.8.4.4.
Make sure you source your icmp-echos from the address on the interface facing your primary ISP, otherwise your routing table will oscillate continually until your primary ISP comes back up. Here's how I did it with a cable ISP (note my event manager stuff uses no email body to get around the bug in previous versions of IOS, this may no longer be necessary): ip sla 1 icmp-echo <random root dns server> source-interface <internet-facing interface> timeout 3000 frequency 10 ip sla schedule 1 life forever start-time now ip sla 2 icmp-echo <random root dns server> source-interface <internet-facing interface> timeout 3000 frequency 10 ip sla schedule 2 life forever start-time now ip sla 3 icmp-echo <random root dns server> source-interface <internet-facing interface> timeout 3000 frequency 10 ip sla schedule 3 life forever start-time now track 1 rtr 1 reachability delay down 30 up 30 track 2 rtr 2 reachability delay down 30 up 30 track 3 rtr 3 reachability delay down 30 up 30 track 4 list boolean or object 1 object 2 object 3 interface <internet-facing interface> ip dhcp client route track 4 ip address dhcp ip nat outside end ip dhcp-client default-router distance 5 ip route 0.0.0.0 0.0.0.0 somewhereelse 10 event manager applet ISPDown event syslog pattern "%TRACKING-5-STATE: 4 list boolean or Up->Down" action ISPDown.1 mail server "<cellprovidersmx>" to "<mynumber>@<mycellprovider>" from "routers@<mydomain>" subject "ISP Service Down" event manager applet ISPUp event syslog pattern "%TRACKING-5-STATE: 4 list boolean or Down->Up" action ISPUp.1 mail server "<cellprovidersmx>" to "<mynumber>@<mycellprovider>" from "routers@<mydomain>" subject "ISP Service Up" -----Original Message----- From: Andrey Gordon [mailto:andrey.gordon@gmail.com] Sent: Monday, February 01, 2010 10:14 AM To: Nanog Subject: Default route with object tracking Hi list. I'd like to setup my default routes to the Interwebz to be conditional on reachability of something on the Interwebz. I got two different ISPs (no BGP). I'm trying to figure out what would be a reliable object to track? Meaning, it's probably not reasonable to track my ISPs default gateway, since it does not protect me from someone on the ISP side screwing up. I'm thinking of tracking something like google.com, but am not sure if after I resolve google.com for the first time, it will be simply tracking an arbitrary server (or some load balancer). I wanted to see what experienced folks think is a reliable tracking target. Any comments are much appreciated. thank you, ----- Andrey Gordon [andrey.gordon@gmail.com]
To be absolutely safe, choose 4-5 of the ideas, track all of them and use a composite track object to combine them :) You can find a lot more details (including the oscillating routing problem) here: http://www.nil.com/ipcorner/SmallSiteMultiHoming/ http://wiki.nil.com/Small_site_multihoming Good luck! Ivan Pepelnjak blog.ioshints.info / www.ioshints.info
-----Original Message----- From: Andrey Gordon [mailto:andrey.gordon@gmail.com] Sent: Monday, February 01, 2010 4:14 PM To: Nanog Subject: Default route with object tracking
Hi list.
I'd like to setup my default routes to the Interwebz to be conditional on reachability of something on the Interwebz. I got two different ISPs (no BGP). I'm trying to figure out what would be a reliable object to track? Meaning, it's probably not reasonable to track my ISPs default gateway, since it does not protect me from someone on the ISP side screwing up. I'm thinking of tracking something like google.com, but am not sure if after I resolve google.com for the first time, it will be simply tracking an arbitrary server (or some load balancer).
I wanted to see what experienced folks think is a reliable tracking target. Any comments are much appreciated.
thank you,
----- Andrey Gordon [andrey.gordon@gmail.com]
participants (9)
-
Andrey Gordon
-
Brad Tarratt
-
Christopher Morrow
-
Curtis Maurand
-
Dan White
-
Ivan Pepelnjak
-
Scott Morris
-
Stefan Fouant
-
Steven Bellovin