nanog mailing list archives

Re: do not filter your customers

From: Christopher Morrow <morrowc.lists () gmail com>
Date: Sat, 25 Feb 2012 02:15:20 -0500

On Fri, Feb 24, 2012 at 10:52 PM, Dobbins, Roland <rdobbins () arbor net> wrote:

X prefixes/packets in Y seconds/milliseconds doesn't keep the peer from blowing up your RIB,


How so?  If the configured parameters are exceeded, stop accepting/inserting updates until this is no longer the 
case.  Exceptions would be made for peering session establishment, it would take effect after that.


if the rate is 1/ms ... I can fill the rib in 2million ms ... ~30mins?
Rate alone isn't the problem :( size matters.

it does slow down convergence :(


Yes, but is this always necessarily a Bad Thing?  For example, this particular circumstance (and many like it, c.f. 
AS7007 incident, et. al.)  it could be argued that in this particular case, [incorrect?  undesirable?  premature? 
pessimal?] convergence led to a poor result, could it not?


it's not clear, to me at least, that slowing convergence is good. it
seems to me that folk do all manner of 'interesting' things in order
to limit convergence time. People aren't trying to actively make
convergence take longer, that I've seen at least.

If you have 200 peers on an edge device, dropping the whole device's routing capabilities because of one 
AS7007/AS1221/AS9121 .. isn't cool
to your network nor the other customers on that device :(


Apologies for being unclear; I wasn't suggesting dropping or removing anything, but rather refusing to further 
accept/insert updates from a given peer until the update rate from said peer slowed to within configured parameters.


yup, I think I jumped a bit around, my penalizing every other customer
was a reference to not having any limiting system in place.

max-prefix as it exists today at least caps the damage at one customer.


But it doesn't, really, does it?  The effects cascade in an anisotropic manner throughout a potentially large transit 
cone.


dropping a single customer sucks, dropping an entire edge device is
far far worse.

The knobs available are sort of harsh all the way around though today :(


Concur again, sigh.


hurray! sort of.

thanks!
-chris

Current thread:

Re: do not filter your customers, (continued)
- - - Re: do not filter your customers Danny McPherson (Feb 24)
    - Re: do not filter your customers Richard Barnes (Feb 24)
    - Re: do not filter your customers Danny McPherson (Feb 24)
    - Re: do not filter your customers Steven Bellovin (Feb 24)
    - Re: do not filter your customers Jeffrey S. Young (Feb 24)
    - Re: do not filter your customers Christopher Morrow (Feb 24)
    - Re: do not filter your customers Dobbins, Roland (Feb 24)
    - Re: do not filter your customers Julien Goodwin (Feb 24)
    - Re: do not filter your customers Christopher Morrow (Feb 24)
    - Re: do not filter your customers Dobbins, Roland (Feb 24)
    - Re: do not filter your customers Christopher Morrow (Feb 24)
    - Re: do not filter your customers Dobbins, Roland (Feb 24)
    - Re: do not filter your customers Valdis . Kletnieks (Feb 25)
    - Re: do not filter your customers Tom Hill (Feb 25)
    - Looking For Tinet NOC Contact Faisal Imtiaz (Feb 25)
    - Re: do not filter your customers Christopher Morrow (Feb 25)
    - Re: do not filter your customers Dobbins, Roland (Feb 25)
    - Re: do not filter your customers Jeff Young (Feb 24)
    - Re: do not filter your customers Shane Amante (Feb 24)
    - Re: do not filter your customers Christopher Morrow (Feb 24)
    - Re: do not filter your customers Geoff Huston (Feb 24)

(Thread continues...)