Re: "Tactical" /24 announcements
On Thu, Aug 12, 2021 at 9:41 AM Hank Nussbacher <hank@interall.co.il> wrote:
On 12/08/2021 17:59, William Herrin wrote:
If you prune the routes from the Routing Information Base instead, for any widely accepted size (i.e. /24 or shorter netmask) you break the Internet.
How does this break the Internet? I would think it would just result in sub-optimal routing (provided there is a covering larger prefix) but everything should continue to work. Clue me in, please.
A originates 10.0.0.0/16 to paid transit C B originates 10.0.1.0/24 also to paid transit C C offers both routes to D. D discards 10.0.1.0/24 from the RIB based on same-next-hop You peer with A and D. You receive only 10.0.0.0/16 since A doesn't originate 10.0.1.0/24 and D has discarded it. You send packets for 10.0.1.0/24 to A (the shortest path for 10.0.0.0/16), stealing A's paid transit to C to get to B. Unless A filters C-bound packets purportedly from 10.0.1.0/24. B doesn't currently transit for A so from B's perspective that's not an allowed path. In which case, your path to 10.0.1.0/24 is black holed.
D broke the Internet. If packets from you reach A at all, they do so through an unpermitted path.
Regards, Bill Herrin
Ok, I apologize, but I have some dumb questions (because I don't BGP anymore): 1) I assume in the scenario that A "owns" (ARIN assignment) 10.0.0.0/16 and if B has a /24 assignment out of the block that A "owns", shouldn't that mean that B has a business relationship with A and some kind of direct connectivity to A? 2) If "no", then why is B using a /24 out of A's block? If A sold or gave the block to B without a connectivity agreement, then A should break up their announcements appropriately to carve the /24 out of their announcement, right? 3) If "yes", then the connectivity wouldn't be broken, right? TIA for the tutoring and bearing with me. Regards, Jason K Pope
On Mon, Aug 16, 2021 at 7:10 AM Jason Pope <boards188@gmail.com> wrote:
On Thu, Aug 12, 2021 at 9:41 AM Hank Nussbacher <hank@interall.co.il> wrote:
How does this break the Internet?
A originates 10.0.0.0/16 to paid transit C B originates 10.0.1.0/24 also to paid transit C C offers both routes to D. D discards 10.0.1.0/24 from the RIB based on same-next-hop You peer with A and D. You receive only 10.0.0.0/16 since A doesn't originate 10.0.1.0/24 and D has discarded it. You send packets for 10.0.1.0/24 to A (the shortest path for 10.0.0.0/16), stealing A's paid transit to C to get to B. Unless A filters C-bound packets purportedly from 10.0.1.0/24. B doesn't currently transit for A so from B's perspective that's not an allowed path. In which case, your path to 10.0.1.0/24 is black holed.
D broke the Internet. If packets from you reach A at all, they do so through an unpermitted path.
Ok, I apologize, but I have some dumb questions (because I don't BGP anymore):
1) I assume in the scenario that A "owns" (ARIN assignment) 10.0.0.0/16 and if B has a /24 assignment out of the block that A "owns", shouldn't that mean that B has a business relationship with A and some kind of direct connectivity to A?
Hi Jason, Not necessarily. It isn't modern practice but as others have pointed out there have been instances where a customer took an ISP-assigned block with them when they left.
3) If "yes", then the connectivity wouldn't be broken, right?
Not necessarily. You have to consider the route in -all- of the states it can be in, including the one where they're not, at this moment, successfully connected to the ISP which assigned the addresses. I offered a scenario in a prior post where the ISP's peering router carries only locally-originated and customer routes. When the customer loses their connection to the ISP (e.g. cable cut) their route disappears from the peering router. The users of the ISP can still reach it via the origin's alternate Internet connection. Reciprocal peers of the ISP can also reach it via the broader Internet but can't reach it via the peering connection to the ISP to whom the origin is not currently connected. If they filter the Internet route, the path ends up going to the ISP's peering router where it's black holed. Regards, Bill Herrin -- William Herrin bill@herrin.us https://bill.herrin.us/
Broadly speaking, I would say if you announce a prefix to the DFZ, then you are saying "I can deliver anything in this range where it is supposed to go." That being said, there are moments like Bill said that an outage or other issue prevents that from happening, and also circumstances that a lack of competence also creates a problem. On Mon, Aug 16, 2021 at 12:07 PM William Herrin <bill@herrin.us> wrote:
On Mon, Aug 16, 2021 at 7:10 AM Jason Pope <boards188@gmail.com> wrote:
On Thu, Aug 12, 2021 at 9:41 AM Hank Nussbacher <hank@interall.co.il>
How does this break the Internet?
A originates 10.0.0.0/16 to paid transit C B originates 10.0.1.0/24 also to paid transit C C offers both routes to D. D discards 10.0.1.0/24 from the RIB based on same-next-hop You peer with A and D. You receive only 10.0.0.0/16 since A doesn't originate 10.0.1.0/24 and D has discarded it. You send packets for 10.0.1.0/24 to A (the shortest path for 10.0.0.0/16), stealing A's paid transit to C to get to B. Unless A filters C-bound packets purportedly from 10.0.1.0/24. B doesn't currently transit for A so from B's perspective that's not an allowed path. In which case, your path to 10.0.1.0/24 is black holed.
D broke the Internet. If packets from you reach A at all, they do so through an unpermitted path.
Ok, I apologize, but I have some dumb questions (because I don't BGP anymore):
1) I assume in the scenario that A "owns" (ARIN assignment) 10.0.0.0/16 and if B has a /24 assignment out of the block that A "owns", shouldn't
wrote: that mean that B has a business relationship with A and some kind of direct connectivity to A?
Hi Jason,
Not necessarily. It isn't modern practice but as others have pointed out there have been instances where a customer took an ISP-assigned block with them when they left.
3) If "yes", then the connectivity wouldn't be broken, right?
Not necessarily. You have to consider the route in -all- of the states it can be in, including the one where they're not, at this moment, successfully connected to the ISP which assigned the addresses. I offered a scenario in a prior post where the ISP's peering router carries only locally-originated and customer routes. When the customer loses their connection to the ISP (e.g. cable cut) their route disappears from the peering router. The users of the ISP can still reach it via the origin's alternate Internet connection.
Reciprocal peers of the ISP can also reach it via the broader Internet but can't reach it via the peering connection to the ISP to whom the origin is not currently connected. If they filter the Internet route, the path ends up going to the ISP's peering router where it's black holed.
Regards, Bill Herrin
-- William Herrin bill@herrin.us https://bill.herrin.us/
participants (3)
-
Jason Pope
-
Tom Beecher
-
William Herrin