[afnog] strict RPF ????

Andrew Alston Andrew.Alston at liquidtelecom.com
Sun Oct 18 17:50:57 UTC 2015


Yes,

I can confirm that one particular large mobile network in South Africa is doing strict urpf and has been for years despite many requests and much pleading by well, everyone, to change it.

It causes unholy hell

Andrew



Sent from my Samsung device


-------- Original message --------
From: Frank Habicht <geier at geier.ne.tz>
Date: 18/10/2015 7:34 pm (GMT+02:00)
To: afnog <afnog at afnog.org>
Subject: [afnog] strict RPF ????

Hi all,

I'm getting the impression that something is wrong in the South...

Can anyone please confirm whether or not any bigger network in South
Africa is doing strict RPF on their AS-boundaries, specifically
peering/transit links.
(not talking about customer links here)

I don't want to mention names yet....

What we see (from AS37084, for example 41.221.41.13):

traffic to most IPs does work and ping fine , some 50ms via Seacom IP
network (37100) - good.

that also means the south african network has (and uses) a route to us
via Seacom - nice and short. also good.

the problem:
traffic to at least one prefix
- the prefix is apparently not advertised by that south african network
in the same way to seacom, at least we don't get it advertised from
seacom like we get many others
- so traffic goes to Europe, specifically to a "tier-1" network
  (mentioning because i think it's safe to say the south african
   network won't have a peering with my upstream.)
- and then traceroute to the problem-destination stops
- from a hetzner hosted host in Europe we can get to the problem
   destination fine.
   a stable RTT of >790ms might suggest a vsat link from SA thoug - not
   a problem.
- from same host a traceroute features the AMS-IX IP of the south
   African network....
  So peering might suggest a symmetric path
- in fact: traceroute the opposite direction kind-of confirms that.


The only idea that I have here is that from 37084 in TZ the path to the
problem-prefix is via Europe. and the return path is not.
and that someone is doing strict RPF.

To which I would like to say:
Where I life the internet is asymmetric.
Especially when you guys (same origin AS btw) advertise some but not all
prefixes to Seacom.

And this hurts both our customers and your customers.
And at the moment I'm convinced that it's not my routers dropping the
packets.
And that's the message our customers are getting.

I'd like to get it fixed - soon.
If possible without naming names.
So I add one email address (from whois) into BCC...

But I _can_ name names.

Have fun.

Frank


_______________________________________________
afnog mailing list
https://www.afnog.org/mailman/listinfo/afnog

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.afnog.org/pipermail/afnog/attachments/20151018/9403786e/attachment.html>


More information about the afnog mailing list