Re: [Idr] some questions from {RC, LC, EC} analysis presentation in GROW

"Sriram, Kotikalapudi (Fed)" <kotikalapudi.sriram@nist.gov> Mon, 09 August 2021 17:07 UTC

Return-Path: <kotikalapudi.sriram@nist.gov>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A6E983A0B76; Mon, 9 Aug 2021 10:07:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.165
X-Spam-Level:
X-Spam-Status: No, score=-3.165 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.452, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FROM_GOV_DKIM_AU=-0.612, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nist.gov
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id w0p5bJ29g6_Y; Mon, 9 Aug 2021 10:06:55 -0700 (PDT)
Received: from GCC02-DM3-obe.outbound.protection.outlook.com (mail-dm3gcc02on2111.outbound.protection.outlook.com [40.107.91.111]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E16C33A0B6F; Mon, 9 Aug 2021 10:06:54 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=WijP0gsBdfmplXQWX+xITS2rdqvizEMCIMmSO1UoWkEv2x5gB57qKHitWl1RmBBN+qqWZfqG98ENYbLuTt5f8LlXbIlLqJDkMOeuFPCqtAmNSCpamIriPEF62GrCBikbTtGkOltj3JPnTRe5AS5CpzUNePgt8uNZ7iB/O7duasJLUteZi4oRmtx81L7h5u4VPUBVhDzSr06MLaVPXBO5c2+adR0J4LUUVETtnPvzvtUZj/kXhVni5L5A0qlO3nStB8opttUuou98eMKEXeLramGPwmnlLFRCcEtmFGBBMyKthi0KqnKAR5YsaYPEl4w5eIXVoV4c7x+ZmvuX/YSTqg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Ya7BlwwfbPP5nlMmviGWWgaWWx+vFKRMAZAtc1/yZZI=; b=MHN2LNAR05/htWPR86xxUNyeZdh9iyI/rvVs4MVE23jXVI3fXdF67gi1JfVowZxv9+BWDVnkjDsy0o4x5dz7elB7a4vJod1V/gNimMovrBX9iN0Pu3dQh8EbN+2UXcy49FqLZZbkS1D4DneSzY8JBeqtsSlOY/wLbxFSdICxTuGN0OxqLDNAOplkdkYaDsO6E0mszIYmG7iRyeB3waFufUOYmNNA0lGdVG1UOsn+/6BSiTxrfJvZ/DlBFXB6hKEX2uIUYzPdiDzV7//xzs8SkeC00PnCAt4TY7FfrW9I0cUCo10meL31YEXuSg9ZNCP4YgfVHlp7OTruuG1oLZuUSw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=nist.gov; dmarc=pass action=none header.from=nist.gov; dkim=pass header.d=nist.gov; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nist.gov; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Ya7BlwwfbPP5nlMmviGWWgaWWx+vFKRMAZAtc1/yZZI=; b=P9ifZwfXgnxPU19CYoJKX/+A+pYCUSOy/N+o5S7BbF1MLQ0dkqmzztluuChQZMLwolVTE1+U4iNZ3/DMexTFSkwDtZGofb6F9mwxXfcJff8BDzBUIB92QdmMYbGvO2m166716/l7be3xZI2J8DrXnqCq7HYSqx2K1Op00+QhjuM=
Received: from SA1PR09MB8142.namprd09.prod.outlook.com (2603:10b6:806:171::8) by SA0PR09MB6634.namprd09.prod.outlook.com (2603:10b6:806:6d::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4394.18; Mon, 9 Aug 2021 17:06:46 +0000
Received: from SA1PR09MB8142.namprd09.prod.outlook.com ([fe80::153f:4e8c:eadd:935d]) by SA1PR09MB8142.namprd09.prod.outlook.com ([fe80::153f:4e8c:eadd:935d%7]) with mapi id 15.20.4394.023; Mon, 9 Aug 2021 17:06:46 +0000
From: "Sriram, Kotikalapudi (Fed)" <kotikalapudi.sriram@nist.gov>
To: Zhuangshunwan <zhuangshunwan@huawei.com>
CC: Jeffrey Haas <jhaas@pfrc.org>, GROW WG <grow@ietf.org>, IDR <idr@ietf.org>
Thread-Topic: some questions from {RC, LC, EC} analysis presentation in GROW
Thread-Index: AQHXiHXG0T0iPqYYLk6NCjnOwJ+5gatinG8AgADwG9OAB9cbww==
Date: Mon, 9 Aug 2021 17:06:46 +0000
Message-ID: <SA1PR09MB8142699ECB6700439DC4D32A84F69@SA1PR09MB8142.namprd09.prod.outlook.com>
References: <SA1PR09MB8142ADE02512DB13887086AC84F09@SA1PR09MB8142.namprd09.prod.outlook.com>, <76c169816a174f4c8907af0e8b64b932@huawei.com>, <SA1PR09MB8142D8366448EDD90909FDEC84F19@SA1PR09MB8142.namprd09.prod.outlook.com>
In-Reply-To: <SA1PR09MB8142D8366448EDD90909FDEC84F19@SA1PR09MB8142.namprd09.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: huawei.com; dkim=none (message not signed) header.d=none;huawei.com; dmarc=none action=none header.from=nist.gov;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 2cfb6321-62e1-4695-e3b9-08d95b58121d
x-ms-traffictypediagnostic: SA0PR09MB6634:
x-microsoft-antispam-prvs: <SA0PR09MB66344312DE19197F14ADF8D384F69@SA0PR09MB6634.namprd09.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: f61kUyAmLoXRbW6Uc4SLLZqz6Gr2lanf2Nu6Bq0bI/T/ETwU3mXejmP/b5WZvbdEtjd9GAwmzbNOhIaTcT8hecHZ1OC0+6c3I5g0/t2sB0+2xKi9BHNhq9OFqatXNyicDCw2l++zDIWcW0BLfD7gdhdmApG/1yeSDR/gdThyongsYSyAQtE6GB4qZn1jLPd8ox/t9amWmRRYIr+MnLUpDnZ8XQ+f1iITMalJ0HgFWrgbs07h2XTyTY8+3gRNUBQIb4QZxmUr1QBibipU+m1sAcRICC09Ie7j4HpOMZ3N3RfzHKAXXrlmM1GgWzx6GksrB2op4KOPxzWcVp9gVFsZzMyCz+RCEiLWuZYH+nXba6wRKxX0ih4iFSDrCfwevR4Q3ld4y7dL2eAztOfhUl/ZgGFA4mS+1W/zs9KQM1Fjo9genJggtFL9HG5jKKDIJ0iNdCfBRFacRXoioO+mvhfMHIz9tTVmu3wXf95vmwQU+BZRcTlRmG62IY8MpeSNGygsiy6DRF3OCB2huEvzbUGaIS08G3/bYDE6O29vnrsrQyPe/y29flRCy5Btdu3koJuMa2iHsrAnznx9hiFMGVwDVmyBSvQbjqHR4Gn8Lw5txMgcUot6dvqVf6zViF9RPlSyVfH39S9MnWYIBocB8jkzkbTTqceLwlzzsFTMi1V/KC4N1sLNwES4FjNVfRw7zVF3ILTeZJ2d0Adm5Ge82XfPCNGisQJ/7f4F2rs4zYJjcHwGWWtxgkP7qxZIjcyXiKtZgXM4hoIME6RJnPBaDYMRmBCzAqHYc21aeiAanbv0O4o=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:SA1PR09MB8142.namprd09.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(376002)(346002)(39850400004)(396003)(136003)(366004)(52536014)(66574015)(6506007)(316002)(33656002)(86362001)(2906002)(7696005)(26005)(83380400001)(66946007)(53546011)(54906003)(6916009)(122000001)(186003)(4326008)(8936002)(8676002)(5660300002)(9686003)(91956017)(64756008)(76116006)(66556008)(66446008)(71200400001)(38100700002)(478600001)(38070700005)(55016002)(966005)(66476007); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: =?utf-8?B?bEpOYyszR1NXVDhFQzNISmhYemhpdG1CKzNrR2c5UVlaNEtqL2xRSURqUlVT?= =?utf-8?B?VmVEUStFaDExRUMrV3VCbWtDSDJaakgxbkZSSHhwdnFjVmNNZ3MxOEM2Z0x3?= =?utf-8?B?QnRLU2xCb3VuS3BiL2tIVXh3eVlnVjlmZlh3T1FuRG5pekhsNlcrMUhZSjdv?= =?utf-8?B?a01nKzNyNllHUy9heGxzMzF0dDhaNW94VHBpdHhWK0l2SytoNEpDb3lQMUJu?= =?utf-8?B?TFlnWEsyczJaS2ZxSUhCVkNtUjBlYjlWR3l3YS9IY2RPOE13alFvcFp3VkZW?= =?utf-8?B?NXcvTHBMRVlUVU1MbG5FVUxzV0VKZmFCOVBjTWViVlZRMHhBMlZjWUVKd3B5?= =?utf-8?B?L2c3alVBK25KcFNPZ1g3ZHhQYzZ1ODNtTmFvYS8wdmpObStvYkpDeko3d0xU?= =?utf-8?B?UE1QK3lLWUswL0tURHlBVitHRnNLTDkwZU9zMUFwR0RDQnhzbXFkb3kzVTJu?= =?utf-8?B?ZWV3WjFaMGR6VWhTQWtmZGlORi9mZjhQK1BQaWgzSjJHdno4TCtoTElUMU04?= =?utf-8?B?eDZ1N1Z6NVZNK0RZTDVxTDZoSUhIWC9FYVZyWjhaTlM2SWUzWEwyd0J3VFhw?= =?utf-8?B?TGJxUkZYc2xCYzd6SlRxVlVETEpqYWd2UHZCeDlKVXJwQWZFZW9XNGZubS9U?= =?utf-8?B?b1d4VWFXRlJNcHRBZUJteWhXWkk4VGhJa2FKRTBDQWZXQ3R5a2tYVHFJN3Mw?= =?utf-8?B?RE1TTDFrc1hFWTFWQUI2SE1WcGVpSUFyZ2NYcXJCeVZXbk9oNGpHTTNYZmV0?= =?utf-8?B?K0c0MDhjVmxXbVpaRWkxc3V2UUNabzc2NmFJSWRwK3FvdlZWL25GOTNmN0tq?= =?utf-8?B?ZFRlLzc4VElrOXFicVJyRlZLSExvTjVEUjJWNWp0aUJhM3g4aVpsMWlZL2VV?= =?utf-8?B?VDcwaG4yK0tvRjlnMFNqNFR2SndKN25BYXhkQll3N1lscjJUMXlNNGx3L1Fq?= =?utf-8?B?MGkxTFB3OW9ZdzB4bWpIcnVEMENsVDZzTkJhK0dGUXhHbWpUdDlVTVVHbVp1?= =?utf-8?B?TjJEeU1STUlzc2FOc0VsRWozc3Zadm52L1Z3dklOcXIrMHpicFpwbGViMkpX?= =?utf-8?B?OXpNWTVsS3pJU3d1N0hXc0NEMldvd256OEZFc3AxWWVZa2kybWUzNFRCVGFv?= =?utf-8?B?bkZUM3NpSGhhM3IyT1lPSEpUUGEreERMSWdYY2puYk1kMjZjeU5EYU9hRmt0?= =?utf-8?B?WEJHZFo0NlJZLzI4NEFWNEtXaUtmSE05a1JaSWhUWFJKQ1RaVm1BeXR0NnN2?= =?utf-8?B?cG5vaVdNRzRvTlRDT04rQ256YldjSFM5OEtXdDc0MVRxWXZjT0sxRVNGNXQ2?= =?utf-8?B?V3B1QjJ2b3cvMDZQSWl4Q21ScGlqaXVoZVBwNG5UaXppRXltUi90dTZpY2dJ?= =?utf-8?B?OWhtcWg3ZDFIbzVyb0V1UnhCcGc1RjdrK1kyZW9DNXFTMmU5d3lLMGo0amxD?= =?utf-8?B?N0pvMFVFZ0ZSWm5WZDZ4bzFTL3JhZ1FKcDZ2eDJ1TXJDYWtZL3U0M3JHejlE?= =?utf-8?B?TXRIZUFQZFNqakVta09LcjJvZVBWbjlSOEV0RCs2bkxVN3o0TXdCeldVZGVo?= =?utf-8?B?RnpGQWtBWThKV01UVGd0ZTZBQms3Rjl4bjdRRU5hSVNaWUpzTWMxSmliMmlH?= =?utf-8?B?ejljK2xTL3ZGUzZKSndHM2JYNWFMeXZRb1RkM0NTVWlibkJyNVhiV0dPSkt3?= =?utf-8?B?TmlaSUZ0cWpYaFl2M2RjNTUwZTlaUzJwTlBobUsyS0g1blZDT0I2MTdxeVdo?= =?utf-8?Q?0ORECSYpWN5yYgeBeg=3D?=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: nist.gov
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SA1PR09MB8142.namprd09.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 2cfb6321-62e1-4695-e3b9-08d95b58121d
X-MS-Exchange-CrossTenant-originalarrivaltime: 09 Aug 2021 17:06:46.7798 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 2ab5d82f-d8fa-4797-a93e-054655c61dec
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA0PR09MB6634
Archived-At: <https://mailarchive.ietf.org/arch/msg/idr/yAdB9RFm7zJQ9cj5jcAEB9X2PCk>
Subject: Re: [Idr] some questions from {RC, LC, EC} analysis presentation in GROW
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/idr/>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Aug 2021 17:07:03 -0000

I have heard back from Lumen/Level3 and they have confirmed the following: 

remarks:        prefix type communities
remarks:        --------------------------------------------------------
remarks:        3356:123 - Customer route
remarks:        3356:666 - Peer route

They also stated, “The 123 and 666 communities are announced to our customers intentionally.”

I think the above info is good from the point of view of our measurements. We no longer treat 3356:666 as a Blackhole community. So, we separate them from other ASN:666. We look at the propagation of 3356:666 and 3356:123. Both are meant to start at AS 3356 and are expected to propagate down the customer cone (according to the info from Lumen/Level3 above). We do observe very substantial numbers of 3356:666 and 3356:123:

RIB data (RouteViews3, 2021-07-15.0000):
Total # Unique {Prefix, RC = 3356:666} ; 509900
Total # Unique {Prefix, RC = 3356:123} ; 399567
Total # Unique {Prefix, RC = 3356:9999} ; 28

This is somewhat along the lines of what Jeff was also requesting: measure the propagation against known applications. So, there are about 510K Unique {Prefix, RC = 3356:666} and 400K Unique {Prefix, RC = 3356:123}. They are observed propagating multiple hops starting from AS 3356 (we’ll update the slides with this distribution). Hopefully, much of this propagation is down the customer cone as expected. We don't know if some of them are route leaks, but we can try to check that as part of further investigation.

Any further thoughts/comments?

Sriram   
------------------------------------------

________________________________________
From: Sriram, Kotikalapudi (Fed) <kotikalapudi.sriram@nist.gov>
Sent: Wednesday, August 4, 2021 12:58 PM
To: Zhuangshunwan; Sriram, Kotikalapudi (Fed); GROW WG
Cc: IDR
Subject: Re: some questions from {RC, LC, EC} analysis presentation in GROW

Hi Shunwan,

Yes, that is a curious thing ... it seems peculiar and specific to AS 3356.
I have started a discussion on NANOG about 3356:666, 3356:9999, etc.
Please take a look:
https://mailman.nanog.org/pipermail/nanog/2021-August/thread.html#214447 

Only AS 3356 may be an outlier. Most other AS operators use ASN:666 or WKC 65535:666 for Blackhole Community:
https://www.google.com/search?q=BGP+community+%3A666&rlz=1C1GCEV_enUS847US847&oq=BGP+community+%3A666&aqs=chrome..69i57j69i64.9798j1j15&sourceid=chrome&ie=UTF-8&safe=active&ssui=on 

Also, we'll check -- on slide 12 of my GROW presentation -- out of the roughly 265K count of unique {Prefix, AS Path, RC = Any:666}, how many are with 3356:666. I will let you know.

Sriram

________________________________________
From: GROW <grow-bounces@ietf.org> on behalf of Zhuangshunwan <zhuangshunwan@huawei.com>
Sent: Tuesday, August 3, 2021 10:37 PM
To: Sriram, Kotikalapudi (Fed); GROW WG
Cc: IDR
Subject: Re: [GROW] some questions from {RC, LC, EC} analysis presentation in GROW

Hi Sriram,

The community attribute example 3356:666 on page 10 may not match the actual function.
"
Example: AS path = 25160 3356 12956 6147 and RC = 3356:666
 This means that the client is at AS 6147 (origin AS) and AS 3356 is the RTBH provider
 AS Distance to RTBH provider = 2
 Propagation (#hops): The Blackhole Community propagated 3 hops in this case (AS 6147 to AS 25160)
"

According to https://onestep.net/communities/as3356/
...
--------------------------------------------------------
prefix type communities
--------------------------------------------------------
3356:123 - Customer route
3356:666 - Peer route
--------------------------------------------------------
...
--------------------------------------------------------
customer traffic engineering communities - Blackhole
--------------------------------------------------------
3356:9999 - blackhole (discard) traffic

Traffic destined for any prefixes tagged with this
community will be discarded at ingress to the Level 3
network. The prefix must be one permitted by the
customer's existing ingress BGP filter.
For some router vendors the peering
must be changed to an eBGP multihop session on the Level
3 side of the connection.
...

Regards,
Shunwan