Hurricane Electric Route Filtering Algorithm

Posted on by Leave a reply

The following is from http://routing.he.net/algorithm.html . This outlines the criteria HE.NET uses for filtering routes from peers and customers.

This is the route filtering algorithm for customers and peers that have explicit filtering:

1. Attempt to find an as-set to use for this network.
1.1 Inspect the aut-num for this ASN to see if we can extract from their IRR policy for what they would announce to Hurricane by finding export or mp-export to AS6939, ANY, or AS-ANY.
1.2 Also see if they set what looks like a valid IRR as-set name in peeringdb.

2. Collect the received routes for all BGP sessions with this ASN. This details both accepted and filtered routes.

3. For each route, perform the following rejection tests:
3.1 Reject default routes 0.0.0.0/0 and ::/0.
3.2 Reject paths using BGP AS_SET notation (i.e. {1} or {1 2}, etc). See draft-ietf-idr-deprecate-as-set-confed-set.
3.3 Reject prefix lengths less than minimum and greater than maximum. For IPv4 this is 8 and 24. For IPv6 this is 16 and 48.
3.4 Reject bogons (RFC1918, documentation prefix, etc).
3.5 Reject exchange prefixes for all exchanges Hurricane Electric is connected to.
3.6 Reject routes that have RPKI status INVALID_ASN or INVALID_LENGTH based on the origin AS and prefix.

4. For each route, perform the following acceptance tests:
4.1 If the origin is the neighbor AS, accept routes that have RPKI status VALID based on the origin AS and prefix.
4.2 If the prefix is an announced downstream route that is a subnet of an accepted originated prefix that was accepted due to either RPKI or an RIR handle match, accept the prefix.
4.3 If RIR handles match for the prefix and the peer AS, accept the prefix.
4.4 If this prefix exactly matches a prefix allowed by the IRR policy of this peer, accept the prefix.
4.5 If the first AS in the path matches the peer and path is two hops long and the origin AS is in the expanded as-set for the peer AS and either the RPKI status is VALID or there is an RIR handle match for the origin AS and the prefix, accept the prefix.

5. Reject all prefixes not explicitly accepted

9 Life Hacks for all of us

Posted on by Leave a reply

A little bit of deviation from techie stuff. For those of you looking to make life better here are some “hacks” I totally agree with. What are you life hacks? What are soem things you do which are related to your tech field?

https://medium.com/the-ascent/the-9-best-life-hacks-to-become-unstoppable-87b9587992ac

Life-hacking is ridiculously fun when you see what it can do for you.

I was never much of an ‘experimenter’ — more of a go with the flow kind of guy. This strategy didn’t work for me. I fell in love with money and alcohol and that led to a larger than life mental illness. The mind can ruin you if you let it. But the mind can do even more good for you.

All of that has changed. I’m now a life-hacker and get off on experiments. These tiny little experiments have helped me have an unconventional career, write thousands of blog posts on the internet, meet some extraordinary people, and earn enough passive income to be comfortable.

People often call me unstoppable. They see my work ethic as crazy. It’s not really. What looks crazy is nothing more than the positive effects of these life hacks that other people taught me. Here are the best life hacks you can steal.

https://medium.com/the-ascent/the-9-best-life-hacks-to-become-unstoppable-87b9587992ac

Don’t try this at home kids. Automated BGP Optimization

Posted on by Leave a reply

https://radar.qrator.net/blog/as10990-routing-optimization-tale
Conclusion? Do not try to optimize the routes with automated software – BGP is a distance-vector routing protocol that has proved, throughout the years, its ability to handle the traffic. Software, wanting to “optimize” the system involving thousands of members would never be smart enough to compute all the possible outcomes of such manipulation.

New Undersea Cable – Grace Hopper

Posted on by Leave a reply

https://cloud.google.com/blog/products/infrastructure/announcing-googles-grace-hopper-subsea-cable-system

…We’re excited to announce a new subsea cable—Grace Hopper—which will run between the United States, the United Kingdom and Spain, providing better resilience for the network that underpins Google’s consumer and enterprise products.

grace hopper.jpg

Preseem and Switches in switch centric design

Posted on by Leave a reply

Anyone who follows me knows I am a big fan of switch centric designs. This usually involves a router on a stick paired with a high port count switch. Recently I had a client that installed a Preseem appliance in their network.

Equipment used in this setup
-Dell R710 with a 4 Port SFP+ card running Preseem
-Cisco 3064-X 48 Port switch
-Maxxwave Vengeance router with dual QSF+ card and 4 Port SFP+ card

A visio diagram of how this looks

We have two transport links coming into the switch on the left. These are dumped into VLANs 506 and 507. We then come out of the switch into the Preseem box via 2 SFP+ ports, one for each VLAN. In this case, we just used DAC cables In the future, we can turn these into trunk ports to pass more VLANS through.

The data then leaves the Preseem box over dual SFP fibers directly into the router’s SFP+ ports. If the Preseem appliance fails we have a secondary OSPF/IBGP path from the router’s 40 GIG QSFP down to the switch. This is a bypass in case the Preseem appliance hardware fails.

If you start flowing more than 10 Gigs through a single link you can upgrade to more SFP+ ports into your appliance and a 40 Gig QSFP+ card. You then link the appliance to the spare QSFP port on your router.

Patreon Posts

Posted on by Leave a reply

Thank you to all of you who have become Patreon members!!! I appreciate it I have started going back through all of my Patreon posts and tagging them with “patreon” so you can easily look at content you have access to. Sometimes this content is just a visio diagram or a photo. My goal is to give you enough content to keep you coming back.