I asked this question on inet-access and it was suggested I try NANOG. I understand BGP flapping to be announcements followed by withdraws over a short period. I am seeing a peer with a large number of announcements and the normal number of withdraws. Is there a term to describe what I am seeing? I'd like to understand what is happening, but I've been looking for more info and can't seem to find anything. I suspect I am just not using the right words to search. If there isn't a term, why would a peer announce thousands of time an hour with very few withdraws?
On Nov 6, 2005, at 1:05 PM, NetSecGuy wrote:
I asked this question on inet-access and it was suggested I try NANOG.
I understand BGP flapping to be announcements followed by withdraws over a short period. I am seeing a peer with a large number of announcements and the normal number of withdraws. Is there a term to describe what I am seeing? I'd like to understand what is happening, but I've been looking for more info and can't seem to find anything. I suspect I am just not using the right words to search.
If there isn't a term, why would a peer announce thousands of time an hour with very few withdraws?
There is a term, it's called "broken". A peer should never announce a route it has already announced unless that route is withdrawn. (If the session goes down or is reset, that counts as a withdrawal.) -- TTFN, patrick
At the risk of sounding like a total moron, can anyone explain what is happening here? This is from RIS, specifically RRC00. Here is some sample output of route_btoa from this file: http://data.ris.ripe.net/rrc00/2005.11/updates.20051106.0430.gz <snip> BGP4MP|1131251415|STATE|193.0.0.56|3333|1|2 BGP4MP|1131251415|STATE|193.0.0.56|3333|2|4 BGP4MP|1131251415|STATE|193.0.0.56|3333|4|5 BGP4MP|1131251415|STATE|193.0.0.56|3333|5|6 BGP4MP|1131251415|A|193.0.0.56|3333|8.11.252.0/23|3333 3356 11168|IGP|193.0.0.56|0|0||NAG|| BGP4MP|1131251415|A|193.0.0.56|3333|8.11.254.0/23|3333 3356 11168|IGP|193.0.0.56|0|0||NAG|| BGP4MP|1131251415|A|193.0.0.56|3333|8.10.241.0/24|3333 1103 1273 6395 22324 22324|IGP|193.0.0.56|0|0||NAG|| BGP4MP|1131251415|A|193.0.0.56|3333|8.15.2.0/24|3333 6320 8001 6395 26049 26049 26049 26049|IGP|193.0.0.56|0|0||NAG|| </snip> I understand AS3333 is RIS itself, is this some kind of misconfig on their end? It seems to be announcing it's entire table every 5 minutes. This started late Friday and ended a few hours ago. On 11/6/05, Patrick W. Gilmore <patrick@ianai.net> wrote:
On Nov 6, 2005, at 1:05 PM, NetSecGuy wrote:
I asked this question on inet-access and it was suggested I try NANOG.
I understand BGP flapping to be announcements followed by withdraws over a short period. I am seeing a peer with a large number of announcements and the normal number of withdraws. Is there a term to describe what I am seeing? I'd like to understand what is happening, but I've been looking for more info and can't seem to find anything. I suspect I am just not using the right words to search.
If there isn't a term, why would a peer announce thousands of time an hour with very few withdraws?
There is a term, it's called "broken".
A peer should never announce a route it has already announced unless that route is withdrawn. (If the session goes down or is reset, that counts as a withdrawal.)
-- TTFN, patrick
I understand BGP flapping to be announcements followed by withdraws over a short period. I am seeing a peer with a large number of announcements and the normal number of withdraws. Is there a term to describe what I am seeing? I'd like to understand what is happening, but I've been looking for more info and can't seem to find anything. I suspect I am just not using the right words to search.
If there isn't a term, why would a peer announce thousands of time an hour with very few withdraws?
There is a term, it's called "broken".
A peer should never announce a route it has already announced unless that route is withdrawn. (If the session goes down or is reset, that counts as a withdrawal.)
There's another term for that behavior. It's called "compliant". There are a number of good implementation reasons why it is reasonable for an implementation to announce a route that it has already announced (e.g., peer groups). Admittedly announcing thousands of times an hour does NOT seem reasonable, but 'never' is not a requirement of the BGP spec either. Tony
A peer should never announce a route it has already announced unless that route is withdrawn.
one of many counterexamples: change in igp will cause change in med. any attribute changes, and announcement is required. e.g., an internal igp oscillation could cause what the op describes. randy
At 9:44 AM -1000 11/6/05, Randy Bush wrote:
A peer should never announce a route it has already announced unless that route is withdrawn.
one of many counterexamples: change in igp will cause change in med. any attribute changes, and announcement is required.
e.g., an internal igp oscillation could cause what the op describes.
For the OP, http://www.ietf.org/rfc/rfc3345.txt
On Nov 7, 2005, at 8:32 AM, Howard C. Berkowitz wrote:
At 9:44 AM -1000 11/6/05, Randy Bush wrote:
A peer should never announce a route it has already announced unless that route is withdrawn.
one of many counterexamples: change in igp will cause change in med. any attribute changes, and announcement is required.
e.g., an internal igp oscillation could cause what the op describes.
For the OP, http://www.ietf.org/rfc/rfc3345.txt
I give good odds this is not the oscillation issue. More likely a flapping IGP link and a lack of pull-up use (or pull-ups not installed such that link flaps would be non external impacting) etc... I like pull-ups on all core devices personally...
participants (6)
-
Blaine Christian
-
Howard C. Berkowitz
-
NetSecGuy
-
Patrick W. Gilmore
-
Randy Bush
-
Tony Li