[afnog] How to convince providers to take the sane option....

Fredy Kuenzler kuenzler at init7.net
Tue May 13 16:56:50 UTC 2014


Andrew, all,

Am 13.05.2014 17:18, schrieb Andrew Alston:
> I’m in a little bit of a rant mode in this post and openly admit it,
> but I’m getting REALLY frustrated and hoping someone here might have
> some advise on how to convince providers to actually do what is sane
> rather than what hurts them and hurts everyone else in the industry.

Understood, full ack.

> So, to describe the problem.
> 
> Certain providers in East Africa are announcing aggregate routes to 
> exchange fabrics and then announcing de-aggregate routes to their 
> transit providers who are not on the exchanges, do not peer, and
> have all their traffic going internationally.

This does not only happen in East Africa, but worldwide. Which is not
giving a clean sheet to the polluters, no matter where they are.

> Despite explaining the situation to the relevant providers, over and 
> over again, and concretely demonstrating the negative effects of
> what they are doing, the only answer you get is “We aren’t changing,
> we do traffic control like that”

I was preaching traffic engineering for inbound-heavy (eyeball) networks
in the past but apparently with little effect...
http://www.blogg.ch/uploads/BGP-traffic-engineering-considerations-v0.3.pdf

> Now, that there is a solution, drop the entire AS number from the
> global table on the European transit ingress which will force the
> aggregates coming via the exchange to be used, but that seems to be a
> horrible solution, since an outage at the exchange then causes a
> complete blackhole to that ASN and drastically reduces redundancy.
> But it seems also to be the only solution left when providers choose
> not to take the sensible option.

What we do is filtering on transit on prefix level, for example:

10.20.0.0/16 Prefix learned via exchange and via transit, and several
more-specifics learned via transit only, the config snippet would look
like this (Brocade syntax):

!
ip prefix-list TRANSITFILTER seq 5 permit 10.20.0.0/17 le 24
ip prefix-list TRANSITFILTER seq 10 permit 10.20.128.0/17 le 24
ip prefix-list TRANSITFILTER seq 999999 permit 0.0.0.0/0 ge 8 le 24
!
router bgp
 neighbor x.x.x.x remote-as [TRANSIT-AS]
 neighbor x.x.x.x prefix-filter TRANSITFILTER in
!

which would basically filter away any more-specific from transit, except
the covering /16 prefix. If the peering session fails, there is still a
backup path via transit.

To figure out the relevant prefixes it's useful to do a
'show ip bgp route regexp [_POLLUTING-PEER-AS_]'

This means manual work but after all it works. Init7 AS13030 is
meanwhile filtering around 10k polluting more-specifc prefixes away from
transit.

More info could be found here:
http://www.blogg.ch/uploads/routing-without-collateral-damage.pdf

Hope this helps.

-- 
Fredy Kuenzler

Init7 (Switzerland) Ltd.
AS13030
St. Georgen-Strasse 70
CH-8400 Winterthur
Skype:   flyingpotato
Phone:   +41 44 315 4400
Fax:     +41 44 315 4401
Twitter: @init7 / @kuenzler
http://www.init7.net/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 553 bytes
Desc: OpenPGP digital signature
URL: <http://afnog.org/pipermail/afnog/attachments/20140513/baadfcf9/attachment.sig>


More information about the afnog mailing list