Re: WIX Route Reflectors
So, let me get this straight. He gets troubles when he receives routes from you directly, and then again via the route server?
Yeah. Turns out he's running some horrible system based on gated.
Which means that the other 40 odd peers of the route servers will no longer have direct paths to xtra's networks (of that 40, maybe half are on private ASN, so can't easily peer directly with xtra), and vice versa. I'm happy to not send updates we receive from xtra on to users xtra peer directly with, but I need you to tell me who those peers are. If you don't want us to send Xtra updates Plain, I'll knock 'em on the head immediately. Personally, I'd hope that was a better solution that just dropping the route server peering completely (it's what we do for Paradise and Netlink, for example).
What we have been doing in the past (and what we are doing now, for that matter) is to add our routes into the mix, but not learn anything from the route reflectors.
Thats going to be a tad pointless, when you've dropped your peer, and Matthew currently has his peering down! Can you cut and paste some examples of where the route server is doing something wrong? 'praps you could give me a call on 025 XXX XXX, or let me know your number, and I'll call you.
Yeah, I realised that just after I sent you the last mail. However, allowing routes from the WIX route reflectors to enter our network raises trust issues. The problem being, I know of you, Mr Blake, but I'm afraid I don't know you (god I love that line, thank's Chris Roberts for giving us the wing commander movie!). I would rather under-utilise our WIX connection by using only explicit domestic peering with other large peers, whom I know how to contact, than use route reflectors, both of which are under a completely different routing domain, and can potentially have conflicting policies with mine. This is not, however, a personal attack on yourself, your administrative abilities, or your network, but merely a statement of fact. I cannot allow routes from unknown and untrusted sources to be injected into my AS unless stringent measures are undertaken on your part to ensure the sanity of said advertisements. I will however allow our network to learn routes from you if you are able to give documented evidence that every route is under the strict control of the WIX. In an effort to help, I am willing to send you a prefix-list of Xtra's networks. James Tyson --- Samizdat New Media Solutions --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
Evening all. This is a little long, ignore if you don't have an interest in the exchange in Wellington. On Thu, 17 Aug 2000, James Tyson wrote:
So, let me get this straight. He gets troubles when he receives routes from you directly, and then again via the route server?
Yeah. Turns out he's running some horrible system based on gated.
Righto, So we're moving from "we're not peering coz the route servers are broken" to "we're not peering coz we don't trust what comes from the route servers"? That's all good, we've had these discussions before, and doubtless we'll have them again.
What we have been doing in the past (and what we are doing now, for that matter) is to add our routes into the mix, but not learn anything from the route reflectors.
Indeed. Mighty prudent strategy.
I cannot allow routes from unknown and untrusted sources to be injected into my AS unless stringent measures are undertaken on your part to ensure the sanity of said advertisements.
I will however allow our network to learn routes from you if you are able to give documented evidence that every route is under the strict control of the WIX.
Here's the state of the WIX, as it's currently run. The WIX route servers peer with about 35 other routers, about half of which are on private ASN, and the rest have public AS numbers. Arbitrarily, I assume that the users of private ASN are inept, and therefore I require that they give me a manual list of prefixes they're going to announce, with which I filter their incoming announcements. Equally arbitrarily, I assume that organisations that have gone to the trouble of obtaining their own public ASN have a certain degree of clue, and therefore I don't require that they give me a list of prefixes before peering, although if they do provide a prefix list I'll gladly filter their announcements with it. Generally, all new peers added since about the start of this year have provided prefix lists, and are being filtered. I'm aware that this sounds random, and insecure, but historically, all care, no responsibility has been the only way Citylink staff could run the route servers, given the limited time resources available to us. On the whole, it's worked pretty well, for a fairly organic construct. So, at this stage, I can provide an accurate list of the prefixes being originated from 9439, the Citylink AS (all private ASN get reoriginated from 9439 as they pass through the route server), and if anybody wants that list, I'll gladly provide. For the majority of the other ISP's that advertise through the WIX route servers I don't currently know what they're announcing, so you should treat them with whatever level of scepticism you like. OTOH, I guess you could contact the administrators of these ASN directly (all the usual suspects :-), and find out what they're sending to the route servers, and filter for that. That being said, I'll soon be working full time for Citylink, and will have more time for documenting and managing the route reflectors, including getting and publishing authoratitive lists of all the prefixes WIX peers plan to advertise, possibly by hand, or possibly through the RADB or similar. I suspect this'll be a gradual process, as always.
In an effort to help, I am willing to send you a prefix-list of Xtra's networks.
Sure, that'd be a grand way to start. If anybody else wants to send me their list of prefixes that they're sending to the route servers, then I'll add them to the list of prefixes we announce. Cheers Si --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
On Fri, Aug 18, 2000 at 01:00:09AM +1200, Simon Blake wrote:
In an effort to help, I am willing to send you a prefix-list of Xtra's networks.
Sure, that'd be a grand way to start. If anybody else wants to send me their list of prefixes that they're sending to the route servers, then I'll add them to the list of prefixes we announce.
I think you'll need to filter _all_ sessions according to policy published (say) in the RADB before prudent operators trust any of the routes you propagate. Otherwise, people might as well give you access to all their routers and say "here, feel free to change stuff randomly whenever it suits you". The reason that route servers first came into existence was to make it easier to perform aggressive route filtering without each exhange partitipant needing to re-invent the wheel (you know the route servers filter strictly, so you can trust them without filtering and save yourself effort). A route server without an aggressive filtering policy is a much less useful tool. --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
Evening all. Sorry for the late reply, this got hung up in pine limbo land when the cablers plugged their vacuum cleaner into the UPS and everything went "pop" :-(. On Fri, 18 Aug 2000, Joe Abley wrote:
The reason that route servers first came into existence was to make it easier to perform aggressive route filtering without each exhange partitipant needing to re-invent the wheel (you know the route servers filter strictly, so you can trust them without filtering and save yourself effort).
A route server without an aggressive filtering policy is a much less useful tool.
Suits me. I currently have a subset of routes that I trust, and filter aggressively for, and another bunch that I readvertise that I don't have any control over. At the moment, both sets get advertised to all peers, with no differentiation, but there's no reason why I can't change that (either for specific peers, or globally), such that the only routes I announce are the routes I trust. The real question is whether the operator community think that's a good idea, and if they trust Citylink (me) to do so. I'd have thought that for an exchange now numbering ~20 possible public ASN peers, it is worthwhile. Cheers Si --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
participants (3)
-
James Tyson
-
Joe Abley
-
Simon Blake