North American Network Operators Group
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: BGP terminology question

  • From: NetSecGuy
  • Date: Sun Nov 06 14:22:06 2005
  • Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:references; b=DWPf9JDs+qvLMTWR4S6ahu9/qXrI/aTysOpqjVx9kIUu42e/JWr9n6SQSx9161iAqNO3DsyawTKf9ac/AwAelFjP/7DK0SM2sJItTI6ROHEAEO5X1E0xARIz2x8i1zrYYujE6vfVKsatgWlq3jJZW1FUD4vhUqfRlh0m/Po7Hb0=
At the risk of sounding like a total moron, can anyone explain what is happening here? 

This is from RIS, specifically RRC00.  Here is some sample output of route_btoa from this file:
http://data.ris.ripe.net/rrc00/2005.11/updates.20051106.0430.gz
<snip>
BGP4MP|1131251415|STATE|193.0.0.56|3333|1|2
BGP4MP|1131251415|STATE|193.0.0.56|3333|2|4
BGP4MP|1131251415|STATE|193.0.0.56|3333|4|5
BGP4MP|1131251415|STATE|193.0.0.56|3333|5|6
BGP4MP|1131251415|A|193.0.0.56|3333|8.11.252.0/23|3333 3356 11168|IGP|193.0.0.56|0|0||NAG||
BGP4MP|1131251415|A|193.0.0.56|3333|8.11.254.0/23|3333 3356 11168|IGP|193.0.0.56|0|0||NAG||
BGP4MP|1131251415|A|193.0.0.56|3333|8.10.241.0/24|3333 1103 1273 6395 22324 22324|IGP|193.0.0.56|0|0||NAG||
BGP4MP|1131251415|A|193.0.0.56|3333|8.15.2.0/24|3333 6320 8001 6395 26049 26049 26049 26049|IGP|193.0.0.56|0|0||NAG||
</snip>

I understand AS3333 is RIS itself, is this some kind of misconfig on their end?  It seems to be announcing it's entire table every 5 minutes. This started late Friday and ended a few hours ago.


On 11/6/05, Patrick W. Gilmore <[email protected]> wrote:
On Nov 6, 2005, at 1:05 PM, NetSecGuy wrote:

> I asked this question on inet-access and it was suggested I try NANOG.
>
> I understand BGP flapping to be announcements followed by withdraws
> over a short period.  I am seeing a peer with a large number of
> announcements and the normal number of withdraws.  Is there a term
> to describe what I am seeing?  I'd like to understand what is
> happening, but I've been looking for more info and can't seem to
> find anything. I suspect I am just not using the right words to
> search.
>
> If there isn't a term, why would a peer announce thousands of time
> an hour with very few withdraws?

There is a term, it's called "broken".

A peer should never announce a route it has already announced unless
that route is withdrawn.  (If the session goes down or is reset, that
counts as a withdrawal.)

--
TTFN,
patrick