Re: CULPRIT - poor connectivity to new b.root-servers.net

[Jared Mauch <jared () puck nether net>]

On Wed, Feb 04, 2004 at 01:48:18AM -0800, bill wrote:
> upstream routing for the new and old prefixes for b.root-servers.net is
> asymetric.  inbound is generally weighted to arrive through Level3, while
> the outbound is generally weighted to depart through verio.
>
> due to exceptional work from Level3 and Los Nettos, they were able to 
> identify that Verio filters using "golden" prefixes...
>
> "I believe I have found the culprit.  I think that Verio was filtering the
> b root traffic out because it was not a blessed source address."
>
> and
>
> "I have a strange feeling that Verio (the return path for 209.244/14
> according to Walt, and probably for lots of other blocks) is filtering
> source addresses"

        Yes, We do filter our customers per their registered prefixes
for spoofed packets (rfc2267).

% whois -h rr.verio.net AS-LOSNETTOS
as-set:     AS-LOSNETTOS
descr:      Los Nettos and  ASs for whom we provide transit
members:    AS226, AS31, AS5655, AS5726, AS7397, AS6289, AS47,
            AS3832, AS5736, AS20144, AS3659, AS26711, AS127, AS4
admin-c:    wp8-arin
tech-c:     wp8-arin
notify:     Prue () usc edu
notify:     SandyG () usc edu
mnt-by:     MAINT-AS226
changed:    sandyg () usc edu 20031118
source:     VERIO
% whois -h rr.verio.net AS4
aut-num:    AS4
as-name:    ISI
descr:      USC/Information Sciences Institute
admin-c:    wp8-arin
tech-c:     wp8-arin
import:     from AS226  accept any
export:     to AS-LOSNETTOS  announce AS4
notify:     prue () usc edu
notify:     SandyG () usc edu
mnt-by:     MAINT-AS226
changed:    Prue () usc edu 20040203
source:     VERIO

> Verio was asked to update its "blessed" or "golden" prefix list so that
> packets from "B" would reach thier intended destinations.  Third party
> reports indicate that this "correction" has been applied within Verio.

        Yes, once the prefix properly appears in the routing registry,
these packets will be allowed to pass.

> I would appreciate private replies on the efficacy of this ACL modification.

        If you're a Verio customer and seeing similar problems with
some of the prefixes you own, check that they are properly
registered.  If you're a bgp customer, you can get copies of your
acls automatically e-mailed to you whenever they change (including
the change and the full acl).

        You will want to make sure that the route is registered if you
intend to source packets from it (you do not necessarily need
to announce it).

        - Jared


-- 
Jared Mauch  | pgp key available via finger from jared () puck nether net
clue++;      | http://puck.nether.net/~jared/  My statements are only mine.