[ris-int] [ripe.net #124141] AS3333 <> RIS problems over the weekend?
Rene Wilhelm wilhelm at ripe.net
Mon Nov 7 15:00:35 CET 2005
One of those rare occasions where someone from Nanog uses RIS, but now he got confused by the vast number of updates coming to RIS from RIPE NCC (AS3333) over the weekend. Could one of you enlighten him (or the list at large) what caused this? -- Rene ---------- Forwarded message ---------- Message-ID: <2ed0bc680511061121v288974f9jdf3bf99466bb6568 at mail.gmail.com> From: NetSecGuy <netsecguy at gmail.com> Sender: owner-nanog at merit.edu To: nanog at merit.edu Date: Sun, 6 Nov 2005 14:21:00 -0500 Subject: Re: BGP terminology question At the risk of sounding like a total moron, can anyone explain what is happening here? This is from RIS, specifically RRC00. Here is some sample output of route_btoa from this file: http://data.ris.ripe.net/rrc00/2005.11/updates.20051106.0430.gz <snip> BGP4MP|1131251415|STATE|126.96.36.199|3333|1|2 BGP4MP|1131251415|STATE|188.8.131.52|3333|2|4 BGP4MP|1131251415|STATE|184.108.40.206|3333|4|5 BGP4MP|1131251415|STATE|220.127.116.11|3333|5|6 BGP4MP|1131251415|A|18.104.22.168|3333|22.214.171.124/23|3333 3356 11168|IGP|126.96.36.199|0|0||NAG|| BGP4MP|1131251415|A|188.8.131.52|3333|184.108.40.206/23|3333 3356 11168|IGP|220.127.116.11|0|0||NAG|| BGP4MP|1131251415|A|18.104.22.168|3333|22.214.171.124/24|3333 1103 1273 6395 22324 22324|IGP|126.96.36.199|0|0||NAG|| BGP4MP|1131251415|A|188.8.131.52|3333|184.108.40.206/24|3333 6320 8001 6395 26049 26049 26049 26049|IGP|220.127.116.11|0|0||NAG|| </snip> I understand AS3333 is RIS itself, is this some kind of misconfig on their end? It seems to be announcing it's entire table every 5 minutes. This started late Friday and ended a few hours ago. On 11/6/05, Patrick W. Gilmore <patrick at ianai.net> wrote: > > On Nov 6, 2005, at 1:05 PM, NetSecGuy wrote: > > > I asked this question on inet-access and it was suggested I try NANOG. > > > > I understand BGP flapping to be announcements followed by withdraws > > over a short period. I am seeing a peer with a large number of > > announcements and the normal number of withdraws. Is there a term > > to describe what I am seeing? I'd like to understand what is > > happening, but I've been looking for more info and can't seem to > > find anything. I suspect I am just not using the right words to > > search. > > > > If there isn't a term, why would a peer announce thousands of time > > an hour with very few withdraws? > > There is a term, it's called "broken". > > A peer should never announce a route it has already announced unless > that route is withdrawn. (If the session goes down or is reset, that > counts as a withdrawal.) > > -- > TTFN, > patrick >
[ Ris-int Archives ]