North American Network Operators Group
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: CULPRIT - poor connectivity to new b.root-servers.net

  • From: Jared Mauch
  • Date: Wed Feb 04 11:22:54 2004 
On Wed, Feb 04, 2004 at 01:48:18AM -0800, bill wrote:
> 
> 
> upstream routing for the new and old prefixes for b.root-servers.net is
> asymetric.  inbound is generally weighted to arrive through Level3, while
> the outbound is generally weighted to depart through verio.
> 
> due to exceptional work from Level3 and Los Nettos, they were able to 
> identify that Verio filters using "golden" prefixes...
> 
> "I believe I have found the culprit.  I think that Verio was filtering the
> b root traffic out because it was not a blessed source address."
> 
> and
> 
> "I have a strange feeling that Verio (the return path for 209.244/14
> according to Walt, and probably for lots of other blocks) is filtering
> source addresses"

	Yes, We do filter our customers per their registered prefixes
for spoofed packets (rfc2267).

% whois -h rr.verio.net AS-LOSNETTOS
as-set:     AS-LOSNETTOS
descr:      Los Nettos and  ASs for whom we provide transit
members:    AS226, AS31, AS5655, AS5726, AS7397, AS6289, AS47,
            AS3832, AS5736, AS20144, AS3659, AS26711, AS127, AS4
admin-c:    wp8-arin
tech-c:     wp8-arin
notify:     [email protected]
notify:     [email protected]
mnt-by:     MAINT-AS226
changed:    [email protected] 20031118
source:     VERIO
% whois -h rr.verio.net AS4
aut-num:    AS4
as-name:    ISI
descr:      USC/Information Sciences Institute
admin-c:    wp8-arin
tech-c:     wp8-arin
import:     from AS226  accept any
export:     to AS-LOSNETTOS  announce AS4
notify:     [email protected]
notify:     [email protected]
mnt-by:     MAINT-AS226
changed:    [email protected] 20040203
source:     VERIO

> Verio was asked to update its "blessed" or "golden" prefix list so that
> packets from "B" would reach thier intended destinations.  Third party
> reports indicate that this "correction" has been applied within Verio.

	Yes, once the prefix properly appears in the routing registry,
these packets will be allowed to pass.

> I would appreciate private replies on the efficacy of this ACL modification.

	If you're a Verio customer and seeing similar problems with
some of the prefixes you own, check that they are properly
registered.  If you're a bgp customer, you can get copies of your
acls automatically e-mailed to you whenever they change (including
the change and the full acl).

	You will want to make sure that the route is registered if you
intend to source packets from it (you do not necessarily need
to announce it).

	- Jared


-- 
Jared Mauch  | pgp key available via finger from [email protected]
clue++;      | http://puck.nether.net/~jared/  My statements are only mine.