IOS-XR accepts extended communities and large communities by default.
You have to enable to send them, but not receive.
Regards,
Jakob.
-Original Message-
Date: Mon, 12 Oct 2020 15:06:05 +0100
From:
Here's a fun one.
By default Junos accepts extended communities on any BGP session (not
IOS-XR has duplicate update suppression logic for EBGP sessions,
not for IBGP sessions.
If you are using EBGP and seeing a fault in the duplicate update
suppression logic in IOS-XR, please let me know configs and details
of the experiment.
Regards,
Jakob.
-Original Message-
Date: Thu, 15
This feature suppresses outgoing duplicates. Another feature ignores incoming
duplicates from any BGP session.
Regards,
Jakob.
> On Oct 18, 2020, at 1:46 AM, Clemens Mosig wrote:
>
> On 18.10.20 00:59, Jakob Heitz (jheitz) via NANOG wrote:
>> IOS-XR has duplicate update su
3:59 PM, Jakob Heitz (jheitz) via NANOG wrote:
> IOS-XR has duplicate update suppression logic for EBGP sessions,
> not for IBGP sessions.
>
> If you are using EBGP and seeing a fault in the duplicate update
> suppression logic in IOS-XR, please let me know configs and details
>
Jared,
Agreed it's "interesting".
Please configure "as-path-loopcheck out disable" under bgp address family to
make it less interesting.
https://www.cisco.com/c/en/us/td/docs/routers/asr9000/software/asr9k-r7-1/routing/command/reference/b-routing-cr-asr9000-71x/b-routing-cr-asr9000-71x_chapter_01
I couldn't put down Bill Norton's book.
https://drpeering.net/core/bookOutline.html
When a cheapskate like me pays the $10, it means something.
Regards,
Jakob.
-Original Message-
Date: Tue, 2 Feb 2021 11:35:34 +0100
From: Casey Callendrello
To: nanog@nanog.org
Subject: BGP / routing pape
Ben's blog details an experiment in which he advertises routes and then
withdraws them, but some of them remain stuck for days.
I'd like to get to the bottom of this problem.
Has anyone else seen this before or can provide data to analyze?
On or off list.
Regards,
Jakob.
-Original Message--
Re: BGP and The zero window edge
Dear Jakob, group,
On Wed, Apr 21, 2021 at 08:59:06PM +, Jakob Heitz (jheitz) via NANOG wrote:
> Ben's blog details an experiment in which he advertises routes and then
> withdraws them, but some of them remain stuck for days.
>
> I'd like to g
In Cisco, MRAI is "advertisement-interval".
MRAI helps to reduce route update multiplication in highly redundant
networks. OTOH, it can increase the time it takes to re-advertise
a complete internet table in some router implementations.
Update multiplication due to redundant network connections cau
Finding vulnerabilities and how to exploit them to run malware
in closed source code is nigh on impossible.
Anyone can read open source code.
What is possible is to analyze patches to figure out what was fixed
and then to attack those that didn't apply the patches.
Even easier is old releases. P
Ytti,
We have introduced the scalable as-set into the XR route policy language.
as-path-set does not scale well with 1000's of ASNs.
Now, you don't need to expand AS-SET into prefix-set, just enter it directly.
Example:
as-set test
2914,
3356,
end-set
!
route-policy sample
if as-path origina
t;Tactical" /24 announcements
Hey Jakob,
Is there documentation for this somewhere? Are you saying that the
IOS-XR host will connect to some (configured?) server to expand the
as-set, and at what time? Commit time? Once every N?
On Sun, 15 Aug 2021 at 04:50, Jakob Heitz (jheitz) via NANOG
> RPKI validity cover is incomplete.
One way: add your own RTR records. They don't all have to come from
the RPKI.
Another way: Add route-policy to validate the origin-as.
That requires a prefix-set. However, these prefix-sets are much smaller
and the sum of them is smaller than the sum of prefix-s
Oh, and your other issue. IOS-XR has two modes in which you can use
RPKI validity. One is where the router automatically uses the
validity. The other mode is where you use the validity in any
way you want in route-policy.
Regards,
Jakob.
-Original Message-
From: Jakob Heitz (jheitz)
Sent
Mark,
Thanks for bringing this up again.
I remember this from nearly 3 years ago when Randy brought it up.
A bug was filed, but it disappeared in the woodwork.
I have now given it the high priority tag that it should have had initially.
Sorry about the mess up.
In the meantime, you may be able to
Lukas,
CSCvc84848
Will keep you in the loop too, Lukas.
Regards,
Jakob.
-Original Message-
From: Lukas Tribus
Sent: Monday, February 3, 2020 12:43 AM
To: Mark Tinka ; Jakob Heitz (jheitz)
Cc: nanog@nanog.org
Subject: Re: Starting to Drop Invalids for Customers
Hello,
On Tue, 14 Jan
I can corroborate that. I visited China in August 2019 and had terrible
internet performance to sites outside of China. This was both with mobile and
wifi at the homes of two friends, one in Heilongjiang and the other in Beijing.
When I visited in February 2015, it was much better. Both times, I
My data point:
I'm working from home. My computer is connected through company VPN, over wifi
to Comcast.
Comcast speed test says 18mS.
I use VNC and Webex with voice and video through the computer.
VNC response time and voice delay is not noticeable.
Regards,
Jakob.
-Original Message-
Suppose you had a set of customers than all announced to you a set of routes
and all those routes complete an aggregate
and you announce only the aggregate to those customers
and you include an AS_SET with it
then those customers will drop your aggregate, thinking there is an AS-loop
and those cust
y, no loop is seen by any of the downstream
networks that are announced the aggregate prefix.
I hope that helps clear up what I meant in my third
rule. :)
Thanks!
Matt
On Wed, Apr 15, 2020 at 11:26 AM Jakob Heitz (jheitz) via NANOG
mailto:nanog@nanog.org>> wrote:
Suppose you had a set of
From version 6.3.1, IOS XR supports "if community length" in route-policy.
Regards,
Jakob.
-Original Message-
Date: Fri, 17 Apr 2020 12:29:33 +0100
From:
On the point of as-path length limit, Yes I know of at least one tier-1 that
does it and since I left some 8 years back I do it ever
FIB compression comes with some risks.
When routes churn, there are certain cases when you have to decompress the FIB.
Then, the FIB must have the space, or else OOPS.
If a set of compressed routes has to change to decompress some and compress a
different set to improve overall compression, there i
the worst
that can happen if the automatic transmission anticipates
incorrectly is that it hunts.
Regards,
Jakob.
-Original Message-
Date: Mon, 8 Jun 2020 10:14:17 +0200
From: Baldur Norddahl
On 08.06.2020 07.56, Jakob Heitz (jheitz) via NANOG wrote:
> FIB compression comes wi
Don was a great guy. I learnt a few things about Flowspec from him.
Sorry to see him go.
Regards,
Jakob.
-Original Message-
Date: Thu, 23 Jul 2020 23:22:45 +
From: "Dobbins, Roland"
It is with a heavy heart that I must relate the news that Don Smith, formerly
of CenturyLink and mo
CSCdj01351. Fixed in 1997.
Regards,
Jakob.
-Original Message-
Date: Sat, 1 Aug 2020 13:29:59 -0700
From: Ryan Hamel
...
Also, wasn't it you that said Cisco routers had a bug in ignoring NO_EXPORT?
...
I was made aware of another bug in IOS-XR: CSCuv94859. Thanks Job and Ryan.
It caused some routes with NO_EXPORT to sometimes be advertised to EBGP
after an NSR switchover during a software upgrade.
It was fixed in 2015.
Regards,
Jakob.
-Original Message-
From: Jakob Heitz (jheitz)
Sent:
It may be possible to create a fake certificate for a fake ROA.
However, to do that requires a lot of steps to go right.
First, the RSA private key needs to be derived from the public key.
The quantum computer physics exists to do it.
However, the known technology is massively behind and may never
To address the risk of somebody exhausting your memory by dumping a ton of
routes on you,
we added two new options to "soft-reconfiguration inbound" in IOS-XR.
RPKI-dropped-only
Saves a copy of only the routes dropped by an RPKI validation-state test in
neighbor-in route-policy.
RPKI-tested-onl
ie x Cisco IOS-XR x ROV: BCP to not harassing peer(s)
On Fri, 13 May 2022 at 00:44, Jakob Heitz (jheitz) via NANOG
wrote:
> RPKI-dropped-only
> Saves a copy of only the routes dropped by an RPKI validation-state test in
> neighbor-in route-policy.
>
> RPKI-tested-only
> Saves a
ty.
>
> Regards,
> Jakob.
>
> -Original Message-
> From: Saku Ytti
> Sent: Friday, May 13, 2022 12:36 AM
> To: Jakob Heitz (jheitz)
> Cc: nanog@nanog.org
> Subject: Re: Newbie x Cisco IOS-XR x ROV: BCP to not harassing peer(s)
>
> On Fri, 13 Ma
This attack will work very well until the victim starts advertising
its prefix. The victim may not notice the fake advertisement because the fake
advertisement will not reach the victim AS due to AS-path loop checking.
So potential victims must advertise all prefixes that they register in
RPKI or
Here is a reason you might want to keep that /24.
Suppose you are a small ISP and I am your customer.
I also have another larger provider.
That larger provider is also your provider.
I own a /21 and advertise it to my larger provider.
You get that /21 from my larger provider.
I advertise a /24 sub
There are a lot of ROAs out there that make it EASIER to hijack
a route rather than harder.
If you register an ROA for a route and also advertise that route
in BGP, then an attacker who prepends your ASN has to at least
compete with your route with an AS_PATH length and will lose
in most of the In
Sander,
How big? How slow?
You can reply to me off or on list.
About 8 to 10 years ago, we had a large effort to improve this.
Now customers push many megabytes of prefix-sets several times a day and it
works.
I have sent some questions internally to get a better answer.
Related, in 7.2.1, we a
I just checked the Cisco IOS-XR code. It's not vulnerable to any of the 3 flaws
listed in the below linked hackernews article.
Kind Regards,
Jakob
Date: Wed, 3 May 2023 12:52:46 +0300
From: Hank Nussbacher
On 02/05/2023 17:56, Warren Kumari wrote:
For those that like FRR:
https://thehackerne
"prepend as-path" has taken its place.
Kind Regards,
Jakob
Date: Wed, 16 Aug 2023 21:42:22 +0200
From: Mark Tinka
On 8/16/23 16:16, michael brooks - ESC wrote:
> Perhaps (probably) naively, it seems to me that DPA would have been a
> useful BGP attribute. Can anyone shed light on why this RFC
ction too.
If only those communities would not be deleted by some transit networks
Thx,
R.
On Thu, Aug 17, 2023 at 9:46 PM Jakob Heitz (jheitz) via NANOG
mailto:nanog@nanog.org>> wrote:
"prepend as-path" has taken its place.
Kind Regards,
Jakob
Date: Wed, 16 Aug 2023 21:4
, 2023 at 7:41 PM Jakob Heitz (jheitz) via NANOG
mailto:nanog@nanog.org>> wrote:
That's true Robert.
However, communities and med only work with neighbors.
Communities routinely get scrubbed because they cause increased memory usage
and convergence time in routers.
Considering that we
og.org>
mailto:nanog@nanog.org>>
Subject: Re: Destination Preference Attribute for BGP
Hi Jakob,
On Fri, Aug 18, 2023 at 7:41 PM Jakob Heitz (jheitz) via NANOG
mailto:nanog@nanog.org>> wrote:
That's true Robert.
However, communities and med only work with neighbors.
Commun
at 10:59 AM
To: Jakob Heitz (jheitz) mailto:jhe...@cisco.com>>
Cc: nanog@nanog.org<mailto:nanog@nanog.org>
mailto:nanog@nanog.org>>
Subject: Re: Destination Preference Attribute for BGP
Hi Jakob,
On Fri, Aug 18, 2023 at 7:41 PM Jakob Heitz (jheitz) via NANOG
mailto:nanog@nanog.
The blog was updated. Correct link:
https://blog.benjojo.co.uk/post/bgp-path-attributes-grave-error-handling
The attribute was not malformed.
This is the hex dump of the attribute: “E0 1C 00”
It is described here.
https://www.rfc-editor.org/rfc/rfc6790#section-5.2
This attribute is deprecated, but
IOS-XR passes on the attribute by default.
Some other routers incorrectly claim it to be malformed and reset the BGP
session.
IOS-XR has a configuration to discard an attribute, so it will not pass it on.
It will pass the route with all its other attributes.
Here is an example configuration:
rout
You may treat-as-withdraw instead of discard.
However, this attribute does not affect routing.
It only affects whether a sender of packets to the route will add the entropy
label or not to the MPLS header, if such an MPLS header is added.
Therefore, it is safe to discard the attribute.
Kind Regard
If at least one ROA matches a route, then the route is valid.
This is to cover the case when more than one AS is authorized to
originate a particular prefix.
https://tools.ietf.org/html/rfc6811
Page 5:
o NotFound: No VRP Covers the Route Prefix.
o Valid: At least one VRP Matches the Route
Job,
Let me know if you have any issues doing this with IOS-XR.
Regards,
Jakob.
Date: Fri, 7 Jun 2019 17:29:49 +0200
From: Job Snijders
To: Eric Dugas
Cc: NANOG
Subject: Re: Networks enforcing RPKI validation
Message-ID: <20190607152949.gc32...@hanna.meerval.net>
Content-Type: text/plain; cha
The source address in the SYN is spoofed. What if the real owner of the source
address wanted to connect to you? Then your penaltybox would block him. An
attacker could now use your penaltybox to cause a DoS to the real owner of the
IP address.
> Date: Sun, 18 Aug 2019 08:48:08 -0700
> From: Mi
The article linked says no mainstream BGP implementation supports TCP-AO.
IOS-XE and IOS-XR support it.
While I do not represent the Cisco view, personally I like the idea of BGP over
TLS.
Regards,
Jakob.
-Original Message-
Date: Mon, 21 Oct 2019 19:21:03 +1100
From: Julien Goodwin
Another thing to consider is how long it takes to download into forwarding
hardware.
Forwarding hardware is optimized for forwarding, not programming.
The programming has to wait for time slots when forwarding is not using the
memory.
When you do smart aggregation, a single changed route could c
Hey, there's a better way.
Split the movie into segments:
Segment 1: Minute 1.
Segment 2: Minute 2.
Segment 3: Minutes 3,4.
Segment 4: Minutes 5-8.
Segment 5: Minutes 9-16.
etc.
Then send each segment in a loop.
Each receiver receives every loop simultaneously.
Each segment may start receiving part
-
From: Saku Ytti
Sent: Thursday, August 2, 2018 2:42 PM
To: Jakob Heitz (jheitz)
Cc: nanog@nanog.org
Subject: Re: Confirming source-routed multicast is dead on the public Internet
Hey,
On Fri, 3 Aug 2018 at 00:36, Jakob Heitz (jheitz) via NANOG
wrote:
> Hey, there's a better way.
>
You could put this multicast receiver into the last hop before the customer
and then send unicast to the customer.
Regards,
Jakob.
-Original Message-
From: Saku Ytti
Sent: Thursday, August 2, 2018 2:45 PM
To: Jakob Heitz (jheitz)
Cc: nanog@nanog.org
Subject: Re: Confirming source-rout
Owen,
You are correct in that RPKI leaves many problems unsolved.
One that it does solve is prefix splitting.
If I issue a ROA for prefix 10.1.2.0/23, any announcement of 10.1.2.0/24
(including mine) will be declared INVALID, because that announcement is covered
by the ROA and the mask length i
It does, Ytti. And not just in testing. In feature development too.
Often in design discussions, someone pipes up: "someone does bla bla,
Let's not break it". One I remember from years ago was setting two
route reflectors as clients of each other and thinking route reflection
wasn't designed for th
Wh! Thanks man!
Jakob.
-Original Message-
Date: Tue, 19 Feb 2019 15:26:38 +
From: Tom Hill
On 18/02/2019 21:50, John Von Essen wrote:
> If anyone on here has experience with the ASR series running the
> RSP440-SE or -TR, please contact me off-list. I'm trying to better
> unders
Each unit of mask length increase doubles the size of the table theoretically.
About 60% of the table is /24 routes.
Just going to /25 will probably double the table size.
Not sure I'd like to extrapolate the estimate out to /27.
Kind Regards,
Jakob
---
Among the issues:
Suppose the FIB has all the /24 components to make a /20, so it programs a /20.
Then one of the /24's changes nexthop. It now has to undo all that compression
by reinstalling some of the routes and figuring out the minimum set of /21,
/22, /23, /24
to make it happen. Then to avoi
Regards,
Jakob
From: William Herrin
Date: Sunday, October 1, 2023 at 6:32 PM
To: Jakob Heitz (jheitz)
Cc: nanog@nanog.org
Subject: Re: maximum ipv4 bgp prefix length of /24 ?
On Sun, Oct 1, 2023 at 5:40 PM Jakob Heitz (jheitz) via NANOG
wrote:
> Among the issues:
> Suppose the FIB has a
On a related note, I'm working on a project to handle FIB overflow in
such a way as to cause the least disruption in the network.
I welcome suggestions either on or off list.
Kind Regards,
Jakob
In bgp_sovc.h, at the top, it says:
BGP Secure Origin Validation Code
Further down in the file, it says:
BGP Secured Origin Validate Cache – SOVC
Basically, the router downloads the VRPs from the RPKI server, using RFC 6810.
Then it uses the downloaded VRPs to validate received routes using RFC 68
Wow!
The reason it’s called generative AI is because it totally made that up.
Kind Regards,
Jakob
Date: Wed, 31 Jan 2024 18:27:24 +
From: "Compton, Rich"
To: Mohammad Khalil , NANOG list
Subject: Re: SOVC - BGp RPKI
Message-ID:
Content-Type: text/plain; charset="utf-8"
ChatGPT
RFC 5736 was obsoleted by RFC 6890.
It says in part:
2.2.1. Information Requirements
The IPv4 and IPv6 Special-Purpose Address Registries maintain the
following information regarding each entry:
…
o Forwardable - A boolean value indicating whether a router may
forward an IP datag
The great innovation of blockchain is that once a Bitcoin is transferred, the
previous owner can’t take it back.
A distinguishing feature of RPKI is that the issuer of the EE certificate can
revoke it to take back ownership of the IP address.
Imagine if stale entries in the IRR could not be clean
Any-to-any connectivity is an O(x^2) (quadratic) problem.
When you build a fabric, you can add new pizza-boxes in a linear fashion as
long as the existing boxes have spare ports to plug in the new boxes.
As soon as the spare ports run out, the quadratic hits.
Then the choices are either:
* Re
63 matches
Mail list logo
