nanog mailing list archives
Re: CULPRIT - poor connectivity to new b.root-servers.net
From: Jared Mauch <jared () puck nether net>
Date: Wed, 4 Feb 2004 11:20:27 -0500
On Wed, Feb 04, 2004 at 01:48:18AM -0800, bill wrote:
upstream routing for the new and old prefixes for b.root-servers.net is asymetric. inbound is generally weighted to arrive through Level3, while the outbound is generally weighted to depart through verio. due to exceptional work from Level3 and Los Nettos, they were able to identify that Verio filters using "golden" prefixes... "I believe I have found the culprit. I think that Verio was filtering the b root traffic out because it was not a blessed source address." and "I have a strange feeling that Verio (the return path for 209.244/14 according to Walt, and probably for lots of other blocks) is filtering source addresses"
Yes, We do filter our customers per their registered prefixes for spoofed packets (rfc2267). % whois -h rr.verio.net AS-LOSNETTOS as-set: AS-LOSNETTOS descr: Los Nettos and ASs for whom we provide transit members: AS226, AS31, AS5655, AS5726, AS7397, AS6289, AS47, AS3832, AS5736, AS20144, AS3659, AS26711, AS127, AS4 admin-c: wp8-arin tech-c: wp8-arin notify: Prue () usc edu notify: SandyG () usc edu mnt-by: MAINT-AS226 changed: sandyg () usc edu 20031118 source: VERIO % whois -h rr.verio.net AS4 aut-num: AS4 as-name: ISI descr: USC/Information Sciences Institute admin-c: wp8-arin tech-c: wp8-arin import: from AS226 accept any export: to AS-LOSNETTOS announce AS4 notify: prue () usc edu notify: SandyG () usc edu mnt-by: MAINT-AS226 changed: Prue () usc edu 20040203 source: VERIO
Verio was asked to update its "blessed" or "golden" prefix list so that packets from "B" would reach thier intended destinations. Third party reports indicate that this "correction" has been applied within Verio.
Yes, once the prefix properly appears in the routing registry, these packets will be allowed to pass.
I would appreciate private replies on the efficacy of this ACL modification.
If you're a Verio customer and seeing similar problems with some of the prefixes you own, check that they are properly registered. If you're a bgp customer, you can get copies of your acls automatically e-mailed to you whenever they change (including the change and the full acl). You will want to make sure that the route is registered if you intend to source packets from it (you do not necessarily need to announce it). - Jared -- Jared Mauch | pgp key available via finger from jared () puck nether net clue++; | http://puck.nether.net/~jared/ My statements are only mine.
Current thread:
- CULPRIT - poor connectivity to new b.root-servers.net bill (Feb 04)
- Re: CULPRIT - poor connectivity to new b.root-servers.net Jared Mauch (Feb 04)
- Re: CULPRIT - poor connectivity to new b.root-servers.net John Payne (Feb 04)
- Re: CULPRIT - poor connectivity to new b.root-servers.net Jared Mauch (Feb 04)