ISP Filter Policies--Effect is what?
I'm trying to figure out to what degree the existence of these policies should be accounted for in a BGP design which includes sites around the world. I've read through a few of the threads having to do with Verio's Filtering Policy. And I read the policies listed here: http://www.nanog.org/filter.html Consider the following theoretical scenario: Site BGP Advertisement to ISP Amsterdam 169.61.201.0/24 AMSISP Austin 169.61.111.0/24 Genuity & Internap SanFran 169.61.119.0/24 Genuity & Internap Tokyo 169.61.202.0/24 TOKISP Sydney 169.61.156.0/24 SYDISP 1. Since Verio says they would not accept /24 nets drawn from Class B space, I assume this means that they don't insert a /16 into their tables so that the /24 nets appear to Verio customers as unreachable. In this case, a design that wants to extend connectivity to verio customers (and any other ISP with similar policies) must include a /16 advertisement from at least one of the sites. 2. Suppose a customer of a Verio-like ISP, wishes to go to ftp. foo.org. DNS returns 169.61.201.155 (in amsterdam, see above). Verio passes the traffic to the neighbor it received the /16 advertisement from. At this point, the best thing that could happen is if that neighbor has the /16 and /24 networks in its route table, right? That means, a path exists for that user to the amsterdam server and the only problem with routing to Amsterdam is that Verio possibly handed the traffic to a sub-optimal neighbor. Am I understanding this issue correctly? I'm new to BGP. I've tried to get a handle on this issue on my own and by working with Genuity, Internap and Cisco. No disrespect to those companies but each of them had this vague memory of Verio's policy but couldnt really tell me in plain language how it might affect the above scenario. Obviously, I wasn't talking to chief engineers. Someone from the CCIE mailing list suggested I browse the archives of this list, which I did. But I didnt find a clear enough answer to my questions--perhaps because they are too basic to be discussed here or I'm not good at using this lists archive search engine. Either way, any guidance on the above scenario is greatly appreciated. -BM
Cant comment on verios policys but...
1. Since Verio says they would not accept /24 nets drawn from Class B space, I assume this means that they don't insert a /16 into their tables so that the /24 nets appear to Verio customers as unreachable. In this case, a design that wants to extend connectivity to verio customers (and any other ISP with similar policies) must include a /16 advertisement from at least one of the sites.
if you have a /16 why would it be broken down to /24? i would assume the only reason you advertise /24 is because that is the size of your assignment from the NIC, in which case you cannot advertise the /16. if you do own the /16 then yes of course you can advertise it.
2. Suppose a customer of a Verio-like ISP, wishes to go to ftp. foo.org. DNS returns 169.61.201.155 (in amsterdam, see above). Verio passes the traffic to the neighbor it received the /16 advertisement from. At this point, the best thing that could happen is if that neighbor has the /16 and /24 networks in its route table, right? That means, a path exists for that user to the amsterdam server and the only problem with routing to Amsterdam is that Verio possibly handed the traffic to a sub-optimal neighbor. Am I understanding this issue correctly?
maybe, see above, if they cant advertise the /16 then theres no route. if its a verio customer then if verio dont advertise the /24 then no bgp will propogate and no routes will be valid. dont forget for traffic going TO the customer the traffic needs to find verio first and then the next hop will be the customer so verio wont pass it to anyone. if it were possible to advertise both via different providers and the other provider accepted the /24 then the verio routes will be only used where the /24s dont propogate so there will be a shift in traffic to the other provider, if these are both transits so the routes are advertised out then your not going to get any traffic giong over verio. I think you're forgetting that inbound packets and outbound packets are independent in finding their way through a network, a bidirectional flow does not mean that in and out go the same way.. in your example above you'll have packets going out nicely balanced but coming back in will just be through the /24 acceptor and not verio. Steve
I'm new to BGP. I've tried to get a handle on this issue on my own and by working with Genuity, Internap and Cisco. No disrespect to those companies but each of them had this vague memory of Verio's policy but couldnt really tell me in plain language how it might affect the above scenario. Obviously, I wasn't talking to chief engineers. Someone from the CCIE mailing list suggested I browse the archives of this list, which I did. But I didnt find a clear enough answer to my questions--perhaps because they are too basic to be discussed here or I'm not good at using this lists archive search engine. Either way, any guidance on the above scenario is greatly appreciated.
-BM
-- Stephen J. Wilcox IP Services Manager, Opal Telecom http://www.opaltelecom.co.uk/ Tel: 0161 222 2000 Fax: 0161 222 2008
On Tue, May 08, 2001, Stephen J. Wilcox wrote:
if you have a /16 why would it be broken down to /24? i would assume the only reason you advertise /24 is because that is the size of your assignment from the NIC, in which case you cannot advertise the /16.
if you do own the /16 then yes of course you can advertise it.
Not necessarily. I've been in a position where I've had $LARGEBLOCK and I've had to break it into smaller chunks for per-POP customers. The trick there is trying to handle your network being split down the middle and still have traffic flowing to each POP right. The only real way to do that is to split the /16 up into smaller per-POP chunks and announce them seperately. Yes, then you run into provider filtering blackholing you. So, the comprimise is to announce the /16 and the /24s that make it up, and bite the bullet. You're also (possibly) helped by default routes in providers, since the default route catches any routes being ignored due to some form of routing policy. You then just hope that the packet can get to you somehow. (Default routes are even more fun - have any of you wondered how different the net would be if noone who spoke full BGP had a default route in their network? :-) Adrian -- Adrian Chadd "How could we possibly use sex to get <adrian@creative.net.au> what we want? Sex _IS_ what we want!" -- Fraser
Tue, May 08, 2001 at 05:35:21PM +0100, Stephen J. Wilcox:
Cant comment on verios policys but...
1. Since Verio says they would not accept /24 nets drawn from Class B space, I assume this means that they don't insert a /16 into their tables so that the /24 nets appear to Verio customers as unreachable. In this case, a design that wants to extend connectivity to verio customers (and any other ISP with similar policies) must include a /16 advertisement from at least one of the sites.
if you have a /16 why would it be broken down to /24? i would assume the only reason you advertise /24 is because that is the size of your assignment from the NIC, in which case you cannot advertise the /16.
if you do own the /16 then yes of course you can advertise it.
s/can/should/
2. Suppose a customer of a Verio-like ISP, wishes to go to ftp. foo.org. DNS returns 169.61.201.155 (in amsterdam, see above). Verio passes the traffic to the neighbor it received the /16 advertisement from. At this point, the best thing that could happen is if that neighbor has the /16 and /24 networks in its route table, right? That means, a path exists for that user to the amsterdam server and the only problem with routing to Amsterdam is that Verio possibly handed the traffic to a sub-optimal neighbor. Am I understanding this issue correctly?
maybe, see above, if they cant advertise the /16 then theres no route. if its a verio customer then if verio dont advertise the /24 then no bgp will propogate and no routes will be valid.
no allocations have been made by RIRs in B space longer than /16, so they have the /16 to announce.
dont forget for traffic going TO the customer the traffic needs to find verio first and then the next hop will be the customer so verio wont pass it to anyone.
if it were possible to advertise both via different providers and the other provider accepted the /24 then the verio routes will be only used where the /24s dont propogate so there will be a shift in traffic to the other provider, if these are both transits so the routes are advertised out then your not going to get any traffic giong over verio.
I think you're forgetting that inbound packets and outbound packets are independent in finding their way through a network, a bidirectional flow does not mean that in and out go the same way..
in your example above you'll have packets going out nicely balanced but coming back in will just be through the /24 acceptor and not verio.
Steve
I'm new to BGP. I've tried to get a handle on this issue on my own and by working with Genuity, Internap and Cisco. No disrespect to those companies but each of them had this vague memory of Verio's policy but couldnt really tell me in plain language how it might affect the above scenario. Obviously, I wasn't talking to chief engineers. Someone from the CCIE mailing list suggested I browse the archives of this list, which I did. But I didnt find a clear enough answer to my questions--perhaps because they are too basic to be discussed here or I'm not good at using this lists archive search engine. Either way, any guidance on the above scenario is greatly appreciated.
-BM
-- Stephen J. Wilcox IP Services Manager, Opal Telecom http://www.opaltelecom.co.uk/ Tel: 0161 222 2000 Fax: 0161 222 2008
On Tue, 8 May 2001, Stephen J. Wilcox wrote:
if you have a /16 why would it be broken down to /24? i would assume the only reason you advertise /24 is because that is the size of your assignment from the NIC, in which case you cannot advertise the /16.
if you do own the /16 then yes of course you can advertise it.
Stephen, you neglected to look at the big picture. The "organization" has the /16 but has sites spread out all over the planet and has assigned /24's to them. Additionally, they connect into the global net via diverse providers.
<snip> Site BGP Advertisement to ISP Amsterdam 169.61.201.0/24 AMSISP Austin 169.61.111.0/24 Genuity & Internap SanFran 169.61.119.0/24 Genuity & Internap Tokyo 169.61.202.0/24 TOKISP Sydney 169.61.156.0/24 SYDISP
--- John Fraizer EnterZone, Inc
On Tue, 8 May 2001, John Fraizer wrote:
On Tue, 8 May 2001, Stephen J. Wilcox wrote:
if you have a /16 why would it be broken down to /24? i would assume the only reason you advertise /24 is because that is the size of your assignment from the NIC, in which case you cannot advertise the /16.
if you do own the /16 then yes of course you can advertise it.
Stephen, you neglected to look at the big picture. The "organization" has the /16 but has sites spread out all over the planet and has assigned /24's to them. Additionally, they connect into the global net via diverse providers.
Ah, I got -snip- happy there :) in that case I would question the logic of being given a large address block only to break it into pieces all over the world. I'd wonder why they dont take address space from a regional provider - if its only /24 it cant be that mission critical for bgp and multihoming...
<snip> Site BGP Advertisement to ISP Amsterdam 169.61.201.0/24 AMSISP Austin 169.61.111.0/24 Genuity & Internap SanFran 169.61.119.0/24 Genuity & Internap Tokyo 169.61.202.0/24 TOKISP Sydney 169.61.156.0/24 SYDISP
--- John Fraizer EnterZone, Inc
-- Stephen J. Wilcox IP Services Manager, Opal Telecom http://www.opaltelecom.co.uk/ Tel: 0161 222 2000 Fax: 0161 222 2008
On Tue, 8 May 2001, Stephen J. Wilcox wrote: [snip]
Ah, I got -snip- happy there :) in that case I would question the logic of being given a large address block only to break it into pieces all over the world.
I'd wonder why they dont take address space from a regional provider - if its only /24 it cant be that mission critical for bgp and multihoming...
Umm.. There are root nameservers on blocks smaller then a /24.
This discussion is basically correct. Some comments: 1) You always want to advertise the entire block (in this case, a /16). If you don't own the entire block, then you should have a relationship with to BGP originator of the block advertisement such that you can receive traffic from them where you expect it (if, for example, you AS is not really "well connected".) 2) There is no substitute for looking at things in the real world. To understand how filtering works and routes propagate, I suggest two resources: University of Oregon Route Views Project http://antc.uoregon.edu/route-views telnet route-views.oregon-ix.net The route-views.oregon-ix.net router receives BGP from all but a few of the major backbones and an assortment of others as well. You can query that router to see who hears what routes. I was able to verify, for example that Verio filters all Class B subnets (including /18, for example). Traceloop (I am affiliated) http://www.traceloop.com The Traceloop network is basically a searchable community of traceroute servers. You'll have to sign up to get a personal login, since the Guest Login doesn't have all the features that you'll want. If you type "AS2914" in the search field (for example), you'll get a list of test points in Verio's AS (although the formatting is poor). If you type "www.verio.net" in the search field, you'll get a list of test points in Verio's AS and some that use Verio for outbound routes, too. By choosing test points in various AS's, you can see how traffic is actually routed. -steve Dashbit -- The Leader In Internet Topology www.dashbit.com www.traceloop.com On Tue, 8 May 2001, Murphy, Brennan wrote:
I'm trying to figure out to what degree the existence of these policies should be accounted for in a BGP design which includes sites around the world.
I've read through a few of the threads having to do with Verio's Filtering Policy. And I read the policies listed here: http://www.nanog.org/filter.html
Consider the following theoretical scenario:
Site BGP Advertisement to ISP Amsterdam 169.61.201.0/24 AMSISP Austin 169.61.111.0/24 Genuity & Internap SanFran 169.61.119.0/24 Genuity & Internap Tokyo 169.61.202.0/24 TOKISP Sydney 169.61.156.0/24 SYDISP
1. Since Verio says they would not accept /24 nets drawn from Class B space, I assume this means that they don't insert a /16 into their tables so that the /24 nets appear to Verio customers as unreachable. In this case, a design that wants to extend connectivity to verio customers (and any other ISP with similar policies) must include a /16 advertisement from at least one of the sites.
2. Suppose a customer of a Verio-like ISP, wishes to go to ftp. foo.org. DNS returns 169.61.201.155 (in amsterdam, see above). Verio passes the traffic to the neighbor it received the /16 advertisement from. At this point, the best thing that could happen is if that neighbor has the /16 and /24 networks in its route table, right? That means, a path exists for that user to the amsterdam server and the only problem with routing to Amsterdam is that Verio possibly handed the traffic to a sub-optimal neighbor. Am I understanding this issue correctly?
I'm new to BGP. I've tried to get a handle on this issue on my own and by working with Genuity, Internap and Cisco. No disrespect to those companies but each of them had this vague memory of Verio's policy but couldnt really tell me in plain language how it might affect the above scenario. Obviously, I wasn't talking to chief engineers. Someone from the CCIE mailing list suggested I browse the archives of this list, which I did. But I didnt find a clear enough answer to my questions--perhaps because they are too basic to be discussed here or I'm not good at using this lists archive search engine. Either way, any guidance on the above scenario is greatly appreciated.
-BM
participants (7)
-
Adrian Chadd -
Greg Maxwell -
John Fraizer -
john heasley -
Murphy, Brennan -
Stephen J. Wilcox -
Steve Schaefer