Resultados 1 a 6 de 6
  1. #1
    WHT-BR Top Member
    Data de Ingresso
    Dec 2010
    Posts
    15,047

    Lambança com BGP tira a Australia do ar

    The outage, which lasted approximately 35 minutes this afternoon, impacted an international link used by major service providers Telstra, Optus and iiNet for ADSL, cable and 3G data services.

    Industry sources said the network issue came as a result of Dodo mistakenly issuing new IP route addresses from its system that confused Telstra's systems and caused blackouts on the AS1221 upstream router.

    A memo purportedly from Optus, and posted to Whirlpool, indicated Dodo had "decided to advertise all the global routes it knows to Telstra and for some unknown reason Telstra then accepted these as 'best path' which in effect meant ALL traffic originating from the Telstra network would try and route traffic via Dodo".


    Widespread effect

    A post on the Whirlpool forums of a partial notification by wholesale service provider Vocus appeared to point to a routing problem.

    "Vocus network operations staff have been made aware of a routing incident that has had significant impact on some domestic networks," the post read.

    "This incident has impacted most of the Telstra domestic peering points and caused a large amount of route churn and some sub-optimal routing.

    "Engineers from the affected network are working to restore traffic back to its original paths but this may take some time."

    Other network operators and ISPs reported downstream issues that appeared to point back to the issue at a specific Telstra router.

    AusWeb said the outage was "causing major routing table changes throughout the network."

    The outage affected the websites of banks including Westpac. "There is a @Telstra issue affecting westpac.com.au & other sites," the bank tweeted.
    Telstra router causes major internet outage - Telco/ISP - Technology - News - iTnews.com.au

  2. #2
    Super Moderador
    Data de Ingresso
    Sep 2010
    Localização
    Procurando...
    Posts
    4,106
    caramba, 35 minutos com tudo fora do ar??
    Siga-nos em nosso twitter: @wht_brasil

  3. #3
    Moderador
    Data de Ingresso
    Oct 2010
    Localização
    Rio de Janeiro
    Posts
    2,679
    35 deve ter sido o "sensivel", deve ter sido muito mais tempo.

    Viu, colocam crianças de 14 anos pra gerenciar BGP... Aí dá nessa, de aceitar rota default de peer... :-P
    Pior seria se aceitassem a full table do Dodo e fosse num Cisco 6500 com SUP2, ia estourar a RAM e dar crash no roteador :-)

  4. #4
    WHT-BR Top Member
    Data de Ingresso
    Dec 2010
    Posts
    15,047
    Os estragos devem ter sido bastante diversos, dependendo das redes envolvidas. Do Japão, eu perdi contato por 2 vezes com um servidor no Global Switch (Sydney), durante 6 e 8 minutos respectivamente, mas circula informação que as latências explodiram nas rotas locais o que piorou ainda mais a confusão.

  5. #5
    Moderador
    Data de Ingresso
    Oct 2010
    Localização
    Rio de Janeiro
    Posts
    2,679
    Mais um ponto para RPKI e DNSSEC na batalha...

  6. #6
    WHT-BR Top Member
    Data de Ingresso
    Dec 2010
    Posts
    15,047
    The amount of members requesting a Resource Certificate is steadily climbing, soon reaching 900. What is even more impressive is the amount of routing information these LIRs have entered in the system by creating Route Origin Authorisations (ROAs). But what is the quality of the data and is it used by anyone?

    On the 3 February I saw this tweet by Andree Toonk:

    "80.227.96.0/24 (Emirates Telecom) just got hijacked by AS6503. It's covered by ROA 80.227.96.0/19 AS15802 perhaps some day it helps..."

    and today a routing error caused 3 Million Telstra customers to go offline because the ISP does not employ appropriate BGP filtering. The first case is particularly interesting to me because as the tweet says, Emirates Telecom (DU) actually has ROAs for their route anouncements, causing the hijack to be flagged as an unauthorised announcement. Yet that did not not make any practical difference.

    It relates to a question that I get asked more and more frequently:

    "It's great that more than 10% of the RIPE NCC membership has a Resource Certificate and created ROAs for more than 10% of the total RIPE NCC address space, but how many people are actually using this data for making BGP Routing decisions?"

    My answer to that is: "In production, virtually nobody." Even though the RIPE NCC RPKI Validator toolset that has been developed to help make BGP routing decisions, has been downloaded hundreds of times and gets great feedback, operators first need to be convinced that the RPKI data set is accurate and reliable before using it in production.

    The good news is that the 1,803 ROAs in the global RPKI system create 4,937 valid, authorised route announcements. Unfortunately these same ROAs also make 3,266 announcements look like hijacks.

    It is safe to say that overall data quality is pretty bad, which is mostly caused by a poor understanding of how ROAs affect route announcements (more on that here and here). If operators would start relying on the RPKI data set and give the invalid announcements a lower pref (or even drop them) then operators who created the bad ROAs would be pressured to fix their mistakes. But who would start using a data set with this quality in the first place?
    Artigo completo: Resource certification: RPKI in the real world
    Última edição por 5ms; 25-02-2012 às 09:46.

Permissões de Postagem

  • Você não pode iniciar novos tópicos
  • Você não pode enviar respostas
  • Você não pode enviar anexos
  • Você não pode editar suas mensagens
  •