Re: AS path question.
--- jbates@brightok.net wrote: From: Jack Bates <jbates@brightok.net> On 11/10/2010 5:44 PM, Scott Weeks wrote:
Do you think (or is there evidence) that very many ASs use maxas-limit type commands? I have never used it and never had any problems...
: ...but just to be safe I added it to all my routers. I : don't know where I came up with the magical 75 number, : but it definitely seems reasonable that anything with : 75+ ASNs in the path probably don't deserve to be in : my table. ------------------------------------------------------------------------ Why did that make you feel safe? Other than a bug, and ignorance of BGP, what is unsafe about a lotta prepends? scott
On 11/10/2010 7:25 PM, Scott Weeks wrote:
Why did that make you feel safe? Other than a bug, and ignorance of BGP, what is unsafe about a lotta prepends?
Wasn't that it made me feel safe, but I do have to worry about my downstream customers who did exhibit the bug. As a provider, it falls within my goals to limit damage that might occur downstream in my customers' networks. Any time a bug in BGP that can be passed along rears its ugly head, I take notice and see what changes I might need to make to protect my downstream customers. To date, I haven't seen any of them affect my routers. I have also looked into issues with dampening, as I don't generally dampen myself, but some of the downstream BGP routers can't handle the processor load when things become extremely unstable. Jack
On 11/11/2010 01:25, Scott Weeks wrote:
Why did that make you feel safe? Other than a bug, and ignorance of BGP, what is unsafe about a lotta prepends?
In theory, nothing. In practice: http://www.cisco.com/en/US/products/products_security_advisory09186a0080af15... https://bugzilla.quagga.net/show_bug.cgi?id=396 http://tools.cisco.com/security/center/viewAlert.x?alertId=17670 It's one of those belt+braces things that's now considered good practice. Nick
On 11/11/2010 03:03, Nick Hilliard wrote:
On 11/11/2010 01:25, Scott Weeks wrote:
Why did that make you feel safe? Other than a bug, and ignorance of BGP, what is unsafe about a lotta prepends?
In theory, nothing. In practice:
I admit it. I'm feeling smug today. Nick
If it's not a private AS, and it is the one that I own, who cares? AS-Path is the best mandatory value that is completely within my control to manipulate, which explains its proliferation in the network. I'd rather do it myself than have to rely on someone else. That being said, I've found that more vendors are manipulating local preference values themselves, but offer local preference and other attributes to be set upstream. Which now has shifted the de-facto standards of MED and AS-PATH to the back burner. Sincerely, Brian A . Rettke RHCT, CCDP, CCNP, CCIP Network Engineer, CableONE Internet Services -----Original Message----- From: Scott Weeks [mailto:surfer@mauigateway.com] Sent: Wednesday, November 10, 2010 6:26 PM To: nanog@nanog.org Subject: Re: AS path question. --- jbates@brightok.net wrote: From: Jack Bates <jbates@brightok.net> On 11/10/2010 5:44 PM, Scott Weeks wrote:
Do you think (or is there evidence) that very many ASs use maxas-limit type commands? I have never used it and never had any problems...
: ...but just to be safe I added it to all my routers. I : don't know where I came up with the magical 75 number, : but it definitely seems reasonable that anything with : 75+ ASNs in the path probably don't deserve to be in : my table. ------------------------------------------------------------------------ Why did that make you feel safe? Other than a bug, and ignorance of BGP, what is unsafe about a lotta prepends? scott
On Wed, 10 Nov 2010, Scott Weeks wrote:
Why did that make you feel safe? Other than a bug, and ignorance of BGP, what is unsafe about a lotta prepends?
Ignorance of BGP? There's a known cisco bug that causes BGP session resets when as as-path length exceeds 255. I've been running with bgp maxas-limit 75 for years as a "just in case there are other bugs & I find it very hard to believe anyone legitimately needs an as-path length anywhere near that long". Worst case, someone is silly with their number of prepends, we don't see their route. I can't say how long I've been doing this...it predates our rancid setup, which means >6 years. Though it's caused numerous dropped routes, it hasn't generated a single complaint. In your opinion, is filtering of BGP routes based on prefix length also a sign of ignorance? Everyone should just be letting all the crap through? ---------------------------------------------------------------------- Jon Lewis, MCP :) | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
it very hard to believe anyone legitimately needs an as-path length anywhere near that long". Worst case, someone is silly with their number of prepends, we don't see their route. I can't say how long I've been doing this...it predates our rancid setup, which means >6 years. Though it's caused numerous dropped routes, it hasn't generated a single complaint.
In your opinion, is filtering of BGP routes based on prefix length also a sign of ignorance? Everyone should just be letting all the crap through?
There is the argument that anyone with that many prepends doesn't really want you to see that route anyway and if anything changed on their end where they really wanted people to see the route and use it, they would reduce the prepends.
On Wed, 10 Nov 2010 21:35:50 EST, Jon Lewis said:
anywhere near that long". Worst case, someone is silly with their number of prepends, we don't see their route. I can't say how long I've been doing this...it predates our rancid setup, which means >6 years. Though it's caused numerous dropped routes, it hasn't generated a single complaint.
Ezzactly. Of course, the victim of the dropped route has no easy way to figure out that you've dropped his route, and continues to cruise along oblivious to what happened...
On Thu, 11 Nov 2010 Valdis.Kletnieks@vt.edu wrote:
On Wed, 10 Nov 2010 21:35:50 EST, Jon Lewis said:
anywhere near that long". Worst case, someone is silly with their number of prepends, we don't see their route. I can't say how long I've been doing this...it predates our rancid setup, which means >6 years. Though it's caused numerous dropped routes, it hasn't generated a single complaint.
Ezzactly. Of course, the victim of the dropped route has no easy way to figure out that you've dropped his route, and continues to cruise along oblivious to what happened...
Unless they actually want to talk to one of our customers or one of our customers wants to talk to them. Speaking of prepends, what's the community opinion on prepending someone else's ASN on your routes for TE purposes if you're announcing routes you don't want certain AS's to see, but don't have a communities knob that works for those networks? I was pretty negative on the idea until I was in the situation of having a working knob taken away. Nobody's complaining about it...probably not even noticing it. ---------------------------------------------------------------------- Jon Lewis, MCP :) | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
On 11/11/2010 6:31 AM, Jon Lewis wrote:
Speaking of prepends, what's the community opinion on prepending someone else's ASN on your routes for TE purposes if you're announcing routes you don't want certain AS's to see, but don't have a communities knob that works for those networks? I was pretty negative on the idea until I was in the situation of having a working knob taken away. Nobody's complaining about it...probably not even noticing it.
Per usual, I'm some people look on it with distaste, though I feel that is an emotional response and not a technical viewpoint, as it is a perfect way of handling hinge case workarounds that are usually temporary in nature. Jack
participants (7)
-
George Bonser -
Jack Bates -
Jon Lewis -
Nick Hilliard -
Rettke, Brian -
Scott Weeks -
Valdis.Kletnieks@vt.edu