BGP noise tonight? (fwd)

Jon_Lewis1 · October 8, 2001, 4:37am

So who do you blame...the RFC or the vendor that ignores it? Dropping the
session seems to break the "be conservative in what you send and liberal
in what you accept" suggestion. If you know someone else will ignore the
rules (there's always someone) breaking due to their error kind of sucks.

Bandy_Rush1 · October 8, 2001, 7:52am

So who do you blame...the RFC or the vendor that ignores it? Dropping the
session seems to break the "be conservative in what you send and liberal
in what you accept" suggestion. If you know someone else will ignore the
rules (there's always someone) breaking due to their error kind of sucks.

is there a proof of termination of this path?

Chris_Woodfield2 · October 8, 2001, 12:59pm

All prefixes originating from AS2008 dissapeared from our feeds at
approx. 9:30pm EDT. About an hour later, I noticed that the prefixes were
back, but no longer carrying the malformed path.

-Chris

abha · October 8, 2001, 11:41pm

Did a lot of folks get affected by this? Any news on what caused the
bogus path?

Anyone have contacts at 2008?

(transit ASes deleted) ?3?64603? 2008

-abha
(an inquiring mind who wants to know... *grin*)

Rafi_Sadowsky · October 9, 2001, 4:02pm

AS3 is MIT what is the relevance to this problem ?

AS64603 is in "reserved"(private) AS space ( 64512 - 65535 )
IMHO could be an internal confederation leaking - any better ideas ?

- Rafi

Chris_Woodfield2 · October 9, 2001, 4:12pm

the problem path was not 3, it was '3300 (64603) 2008'. I'm presuming that
the leaking conferation was within AS3300's network.

aut-num: AS3300
as-name: AUCS
descr: AUCS Communications Services v.o.f.
descr: aka Infonet-Europe
descr: The Netherlands

-Chris

Chris_Woodfield2 · October 9, 2001, 4:27pm

As it turns out, both 2008 and 3300 are Infonet, US and Europe. So this
was their foo.

The problem is obviously that the RFC-proscribed behavior with bad
prefixes works on paper, as it serves to isolate the network originating
the problem prefix. However, that is totally dependent on /every/ router
doing so, thus preventing the problem from spreading, which as we
discovered, does not happen.

The ideal alternative behavior is to drop the bad prefix--not dropping
the peer, but not passing the bad prefix along either. I've been told that
there are recent Cisco IOS revs that do this instead of passing it along,
but they have other unresolved bugs that prevent their widespread use.

Should someone think about possibly updating the RFC?

-Chris

Jared_Mauch · October 9, 2001, 4:37pm

you are stuck in the situation that operators are faced in deciding
what software to run on their network. if the internet-draft is updated
you still need vendors to change their behavior and people to upgrade.

- jared

Sean_Donelan · October 9, 2001, 5:30pm

I agree, it is only one step on a long road. But you have to take
the first step, if nothing else, so when a "new" vendor releases a
product it won't include the old behavior. Or at least, an officially
revised RFC gives customers another stick to beat their vendor.

Chris_Woodfield2 · October 9, 2001, 6:34pm

Exactly - if the RFC is updated, there's no ambiguity re: how to design
new BGP software.

At this point, the RFC says to do what was at one time considered to be
the right thing, which was demonstrated most recently on Sunday night to
be exactly the wrong thing. Thus, the RFC should be updated to account
for what has been determined the "new" right way of handling malformed
prefixes. As a precedent, refer to the change in attitudes in the RFCs
towards open SMTP relaying - five years ago it was SOP, today it'll get
you blackholed.

-Chris

Bandy_Rush1 · October 9, 2001, 6:46pm

I agree, it is only one step on a long road. But you have to take
the first step, if nothing else, so when a "new" vendor releases a
product it won't include the old behavior. Or at least, an officially
revised RFC gives customers another stick to beat their vendor.

but we have the stick now. unfortunately, we also have a vendor who
ignores sticks. so adding different or more sticks may not be the
way to go.

randy

Matt_Levine1 · October 9, 2001, 6:55pm

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

We have found our stick was effective with our vendor, given enough
beatings.

Regards,
Matt
- --
Matt Levine
@Home: matt@deliver3.com
@Work: matt@eldosales.com
ICQ : 17080004
PGP : http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x6C0D04CF
"The Trouble with doing anything right the first time is that nobody
appreciates how difficult it was."

- -----Original Message-----

Joel_Aelwyn · October 9, 2001, 7:29pm

It's already written. However, the general impression a month and a half
ago was that it wasn't likely to go anywhere. Since I'm not really up to
trying to make headway in the relevant groups, anyone who *does* feel like
it and wants to see the proposal should feel welcome to contact me off-list
about it. It's really a fairly obvious set of extensions (and can, in fact,
be done with only extensions).

Robert_Boyle1 · October 9, 2001, 10:38pm

Matt,

I LOVE your sig. Is that your quote? or did someone else say it first?

"The Trouble with doing anything right the first time is that nobody
appreciates how difficult it was."

-Robert

Tellurian Networks - The Ultimate Internet Connection
http://www.tellurian.com | 888-TELLURIAN | 973-300-9211
"It is never too late to be what you might have been." -George Eliot

Robert_Boyle1 · October 10, 2001, 1:00am

I am an idiot. Sorry for cc'ing the list. My fingers were faster than my brain (and eyes).

-Robert