Strange practices?
Has anyone ever heard of a multi-homed enterprise not running bgp with either of 2 providers, but instead, each provider statically routes a block to their common customer and also each originates this block in BGP? One of the ISP's in this case owns the block and has even provided a letter of authorization to the other, allowing them to announce it in BGP as well. I had personally never heard of this and am curious if this is a common practice as well as if this would potentially create any problems by 2 Autonomous Systems both originating the same prefix. Thanks -Bill
* Dale Cornman:
I had personally never heard of this and am curious if this is a common practice as well as if this would potentially create any problems by 2 Autonomous Systems both originating the same prefix.
The 6to4 anycast gateway RFC practically mandates this, and it does work when you're doing anycast. But with static routes, you cannot handle some failure scenarious, and that usually a good reason to stay away from such setups. Of course, in the world of real routers, there might be constraints such lack of memory or processing power to handle BGP. 8-/
I would say partitioning into two AS's like this is not a good thing. I wouldn't consider it a valid design myself, and would avoid it if possible. If one of the AS's that is announcing the block, originates any traffic into the other AS for that block, the traffic will drop. I realize this ideally should not happen, but BGP uses arbitrary metrics, and people turn alot of knobs, which makes wierd things happen. If someone were doing this themselves, I would say at least use a GRE tunnel with an iBGP link between the sites, but your not going to get that out of these providers, so its going to remain partitioned which should be thought through well as there may be issues with this. Brian On Jun 7, 2010, at 4:59 PM, Florian Weimer wrote:
* Dale Cornman:
I had personally never heard of this and am curious if this is a common practice as well as if this would potentially create any problems by 2 Autonomous Systems both originating the same prefix.
The 6to4 anycast gateway RFC practically mandates this, and it does work when you're doing anycast. But with static routes, you cannot handle some failure scenarious, and that usually a good reason to stay away from such setups. Of course, in the world of real routers, there might be constraints such lack of memory or processing power to handle BGP. 8-/
Let me recant on what I said. I re-read and had myself confused (apologies). I see that the providers are using their own AS's. I still would not do this if it could be avoided, but the traffic won't be dropped like I had said, in the way I was thinking. What I was thinking was a case where the same AS is announcing from two sites, which are not connected via iBGP. In that case default behavior is that the AS drops traffic from its own AS as this is how eBGP accomplishes loop prevention. In the case that is being described this won't happen since each provider is using its own AS to announce from. Brian On Jun 7, 2010, at 5:05 PM, Brian Feeny wrote:
I would say partitioning into two AS's like this is not a good thing. I wouldn't consider it a valid design myself, and would avoid it if possible.
If one of the AS's that is announcing the block, originates any traffic into the other AS for that block, the traffic will drop. I realize this ideally should not happen, but BGP uses arbitrary metrics, and people turn alot of knobs, which makes wierd things happen.
If someone were doing this themselves, I would say at least use a GRE tunnel with an iBGP link between the sites, but your not going to get that out of these providers, so its going to remain partitioned which should be thought through well as there may be issues with this.
Brian
On Jun 7, 2010, at 4:59 PM, Florian Weimer wrote:
* Dale Cornman:
I had personally never heard of this and am curious if this is a common practice as well as if this would potentially create any problems by 2 Autonomous Systems both originating the same prefix.
The 6to4 anycast gateway RFC practically mandates this, and it does work when you're doing anycast. But with static routes, you cannot handle some failure scenarious, and that usually a good reason to stay away from such setups. Of course, in the world of real routers, there might be constraints such lack of memory or processing power to handle BGP. 8-/
On Mon, Jun 07, 2010 at 03:50:25PM -0500, Dale Cornman wrote:
Has anyone ever heard of a multi-homed enterprise not running bgp with either of 2 providers, but instead, each provider statically routes a block to their common customer and also each originates this block in BGP?
Yes; tends to happen for clueless endpoints or providers who don't expressly require BGP for multihoming.`
One of the ISP's in this case owns the block and has even provided a letter of authorization to the other, allowing them to announce it in BGP as well. I had personally never heard of this and am curious if this is a common practice as well as if this would potentially create any problems by 2 Autonomous Systems both originating the same prefix.
MOAS prefixes are common in some content-origination applications, but since you never know what the rest of the universe is going to do in their routing & forwarding decisions, is really isn't generally applicable. -- RSUC / GweepNet / Spunk / FnB / Usenix / SAGE
Hve seen it a few times -- usually with enterprise customers who are unable to manage their own routers and one ISP which has problems configuring BGP on their client facing equipment. Dale Cornman wrote:
Has anyone ever heard of a multi-homed enterprise not running bgp with either of 2 providers, but instead, each provider statically routes a block to their common customer and also each originates this block in BGP? One of the ISP's in this case owns the block and has even provided a letter of authorization to the other, allowing them to announce it in BGP as well. I had personally never heard of this and am curious if this is a common practice as well as if this would potentially create any problems by 2 Autonomous Systems both originating the same prefix.
Thanks
-Bill
It's going to show inconsistent AS which some people may not like, but that's just ugly not broken. As the customer, it means your outgoing path selection is probably being made on the basis of some non-global attribute, and the return path is entirely at the mercy of your two isps... I wouldn't do that becuase the alternatives are better and not exactly a lot of work, but will it work? yes. joel On 2010-06-07 13:50, Dale Cornman wrote:
Has anyone ever heard of a multi-homed enterprise not running bgp with either of 2 providers, but instead, each provider statically routes a block to their common customer and also each originates this block in BGP? One of the ISP's in this case owns the block and has even provided a letter of authorization to the other, allowing them to announce it in BGP as well. I had personally never heard of this and am curious if this is a common practice as well as if this would potentially create any problems by 2 Autonomous Systems both originating the same prefix.
Thanks
-Bill
On Mon, Jun 7, 2010 at 13:50, Dale Cornman <bstymied@gmail.com> wrote:
Has anyone ever heard of a multi-homed enterprise not running bgp with either of 2 providers, but instead, each provider statically routes a block to their common customer and also each originates this block in BGP? One of the ISP's in this case owns the block and has even provided a letter of authorization to the other, allowing them to announce it in BGP as well. I had personally never heard of this and am curious if this is a common practice as well as if this would potentially create any problems by 2 Autonomous Systems both originating the same prefix.
Thanks
-Bill
So if the enterprise loses connectivity to one of these two providers, does the provider without working connectivity to the enterprise have mechanism in place to cease originating the address space? -Bill
"Has anyone ever heard of a multi-homed enterprise not running bgp with either of 2 providers, but instead, each provider statically routes a block to their common customer and also each originates this block in BGP?” As stated before...yes this is a common practice. "One of the ISP's in this case owns the block and has even provided a letter of authorization to the other, allowing them to announce it in BGP as well.” Yes, one ISP owns the block, both will aggregate the blocks and announce the blocks to the global internet. BGP attributes will shape best path for routing; i.e., AS-PATH, ORIGIN, LOCAL PREF. MEDS should take care of "leaking" routes. So, is this design scheme viable? Yes, it is. ~Jay Murphy IP Network Specialist NM State Government IT Services Division PSB – IP Network Management Center Santa Fé, New México 87505 "We move the information that moves your world." “Good engineering demands that we understand what we’re doing and why, keep an open mind, and learn from experience.” “Engineering is about finding the sweet spot between what's solvable and what isn't." Radia Perlman Please consider the environment before printing e-mail -----Original Message----- From: Dale Cornman [mailto:bstymied@gmail.com] Sent: Monday, June 07, 2010 2:50 PM To: nanog@nanog.org Subject: Strange practices? Has anyone ever heard of a multi-homed enterprise not running bgp with either of 2 providers, but instead, each provider statically routes a block to their common customer and also each originates this block in BGP? One of the ISP's in this case owns the block and has even provided a letter of authorization to the other, allowing them to announce it in BGP as well. I had personally never heard of this and am curious if this is a common practice as well as if this would potentially create any problems by 2 Autonomous Systems both originating the same prefix. Thanks -Bill Confidentiality Notice: This e-mail, including all attachments is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited unless specifically provided under the New Mexico Inspection of Public Records Act. If you are not the intended recipient, please contact the sender and destroy all copies of this message. -- This email has been scanned by the Sybari - Antigen Email System.
On 2010.06.07 17:49, Murphy, Jay, DOH wrote:
"Has anyone ever heard of a multi-homed enterprise not running bgp with either of 2 providers, but instead, each provider statically routes a block to their common customer and also each originates this block in BGP?”
As stated before...yes this is a common practice.
"One of the ISP's in this case owns the block and has even provided a letter of authorization to the other, allowing them to announce it in BGP as well.”
Yes, one ISP owns the block, both will aggregate the blocks and announce the blocks to the global internet. BGP attributes will shape best path for routing; i.e., AS-PATH, ORIGIN, LOCAL PREF. MEDS should take care of "leaking" routes.
So, is this design scheme viable? Yes, it is.
I understood the OP's question as one of concern. It sounds to me like one of their ISPs can't/won't/doesn't know how to configure a client-facing BGP session. I've run into this before, and it was due to a lack of understanding/clue of how to peer with a multi-homed client when the client didn't have their own ASN. If that is the case, then I'd be concerned about situations where the link goes down, but the advertisement is not removed from their DFZ-facing sessions, possibly causing a black hole for traffic transiting that ISP. The work involved in co-ordinating two ISPs to detect and protect against this type of situation is far more difficult than just configuring BGP from the client out (imho). Steve
Yes, the customer has an AS number, it's just from the private AS number block, e.g. AS 65000..when the block is routed to the AS running BGP, it is tagged with that ISP's public AS number, and announced to the world in this manner. OK, acknowledged. Clarify, "transiting"? Do you mean one ISP acts as a transit routing domain for another, or for traffic that "traverses" this particular ISP, which one? ~Jay Murphy IP Network Specialist NM State Government IT Services Division PSB – IP Network Management Center Santa Fé, New México 87505 "We move the information that moves your world." “Good engineering demands that we understand what we’re doing and why, keep an open mind, and learn from experience.” “Engineering is about finding the sweet spot between what's solvable and what isn't." Radia Perlman Please consider the environment before printing e-mail -----Original Message----- From: Steve Bertrand [mailto:steve@ipv6canada.com] Sent: Monday, June 07, 2010 4:00 PM To: Murphy, Jay, DOH Cc: Dale Cornman; nanog@nanog.org Subject: Re: Strange practices? On 2010.06.07 17:49, Murphy, Jay, DOH wrote:
"Has anyone ever heard of a multi-homed enterprise not running bgp with either of 2 providers, but instead, each provider statically routes a block to their common customer and also each originates this block in BGP?â€
As stated before...yes this is a common practice.
"One of the ISP's in this case owns the block and has even provided a letter of authorization to the other, allowing them to announce it in BGP as well.â€
Yes, one ISP owns the block, both will aggregate the blocks and announce the blocks to the global internet. BGP attributes will shape best path for routing; i.e., AS-PATH, ORIGIN, LOCAL PREF. MEDS should take care of "leaking" routes.
So, is this design scheme viable? Yes, it is.
I understood the OP's question as one of concern. It sounds to me like one of their ISPs can't/won't/doesn't know how to configure a client-facing BGP session. I've run into this before, and it was due to a lack of understanding/clue of how to peer with a multi-homed client when the client didn't have their own ASN. If that is the case, then I'd be concerned about situations where the link goes down, but the advertisement is not removed from their DFZ-facing sessions, possibly causing a black hole for traffic transiting that ISP. The work involved in co-ordinating two ISPs to detect and protect against this type of situation is far more difficult than just configuring BGP from the client out (imho). Steve Confidentiality Notice: This e-mail, including all attachments is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited unless specifically provided under the New Mexico Inspection of Public Records Act. If you are not the intended recipient, please contact the sender and destroy all copies of this message. -- This email has been scanned by the Sybari - Antigen Email System.
On 2010.06.07 18:10, Murphy, Jay, DOH wrote:
Yes, the customer has an AS number, it's just from the private AS number block, e.g. AS 65000..when the block is routed to the AS running BGP, it is tagged with that ISP's public AS number, and announced to the world in this manner.
...but the OP stated that he doesn't do any BGP with either upstream, and instead relies on the upstreams to statically route the block to him. I was getting at the usage of private-AS in my last post. Perhaps I'm mis-understanding something.
Clarify, "transiting"?
The OP has two 'transit' providers, neither of which he has a BGP session established. Both of his upstream ISPs provide transit for him to the wider Internet.
Do you mean one ISP acts as a transit routing domain for another, or for traffic that "traverses" this particular ISP, which one?
Traverses. ie. my upstream providers provide 'transit' services for networks that I advertise to them, however, I don't allow any of my peers to 'transit' my network. Steve
Hi, On Tue, Jun 8, 2010 at 6:50 AM, Dale Cornman <bstymied@gmail.com> wrote:
Has anyone ever heard of a multi-homed enterprise not running bgp with either of 2 providers, but instead, each provider statically routes a block to their common customer and also each originates this block in BGP? One of the ISP's in this case owns the block and has even provided a letter of authorization to the other, allowing them to announce it in BGP as well. I had personally never heard of this and am curious if this is a common practice
I have seen it quite often. It allows an enterprise to be multihomed w/o getting PI or PA address space so they are usually pretty happy with it.
as well as if this would potentially create any problems by 2 Autonomous Systems both originating the same prefix.
AFAIR prefixes can be originated by more than one AS so there shouldn't be any issues. -- SY, Jen Linkova aka Furry
participants (10)
-
Bill Fehring -
Brian Feeny -
Dale Cornman -
Florian Weimer -
Jen Linkova -
Joe Provo -
joel jaeggli -
Murphy, Jay, DOH -
sjk -
Steve Bertrand