nanog mailing list archives
Can Interdomain routing[BGP] self recover from prefix hijack?
From: Akmal Shahbaz <akmal_shahbaz () yahoo com>
Date: Mon, 11 May 2009 20:40:18 -0700 (PDT)
HiSolutions like BGPmon.net,Cyclops,etc are doing a very good job of alerting about the prefix hijack/configuration erros/experiments gonig on/etc.But i would like to ask "Alerting the victim is the best we can do after detecting such incidents" or what else we can do?What do you think about "BGP ability to Self recover form prefix hijacks or anomalies?" Is it possible?How?What do you think about "Self healing as the property of Internet?"Thank you.Akmal KhanMS-PhD StudentMMLab () SNU Kr --- On Tue, 5/12/09, nanog-request () nanog org <nanog-request () nanog org> wrote: From: nanog-request () nanog org <nanog-request () nanog org> Subject: NANOG Digest, Vol 16, Issue 43 To: nanog () nanog org Date: Tuesday, May 12, 2009, 1:04 AM Send NANOG mailing list submissions to nanog () nanog org To subscribe or unsubscribe via the World Wide Web, visit http://mailman.nanog.org/mailman/listinfo/nanog or, via email, send a message with subject or body 'help' to nanog-request () nanog org You can reach the person managing the list at nanog-owner () nanog org When replying, please edit your Subject line so it is more specific than "Re: Contents of NANOG digest..." Today's Topics: 1. Re: two interfaces one subnet (David Devereaux-Weber) 2. Re: two interfaces one subnet (Nathan Ward) 3. Re: two interfaces one subnet (Arnold Nipper) 4. Re: two interfaces one subnet (Patrick W. Gilmore) 5. Re: two interfaces one subnet (Patrick W. Gilmore) 6. RE: two interfaces one subnet (Holmes,David A) 7. Re: two interfaces one subnet (Arnold Nipper) 8. Re: two interfaces one subnet (Patrick W. Gilmore) 9. Re: two interfaces one subnet (Chris Adams) 10. Re: two interfaces one subnet (Kevin Oberman) 11. Re: two interfaces one subnet (Ben Scott) ---------------------------------------------------------------------- Message: 1 Date: Mon, 11 May 2009 17:08:45 -0500 From: David Devereaux-Weber <ddevereauxweber () gmail com> Subject: Re: two interfaces one subnet To: Hector Herrera <hectorherrera () gmail com> Cc: nanog () nanog org Message-ID: <f2675b350905111508t11d097afrb68ecb09d3798025 () mail gmail com> Content-Type: text/plain; charset=ISO-8859-1 In my case, each Ethernet interface has its own unique MAC address. Dave On Mon, May 11, 2009 at 4:28 PM, Hector Herrera <hectorherrera () gmail com>wrote:
On Mon, May 11, 2009 at 2:22 PM, David Devereaux-Weber <ddevereauxweber () gmail com> wrote:Chris, I work with iHDTV <http://ihdtv.org>, a project that sends uncompressedhighdefinition television (1.5 Gbps) as UDP over two 1 Gbps interfaces. Ifbothinterfaces are on the same subnet, the OS sees the same router (gateway) address on both interfaces, and the results are sub-optimal ... around50%packet loss.packet loss is probably due to the network switch having to re-learn the location of the MAC address constantly as it sees packets on two or more ports with the same MAC address (think STP loops). If your network stack and network device (switch) supports LACP, then you can have multiple connections between a host and a network device. That is a very easy way to increase capacity and add redundancy. That is how all of our VMWare ESX 3.5i servers are connected. Hector
------------------------------ Message: 2 Date: Tue, 12 May 2009 10:08:49 +1200 From: Nathan Ward <nanog () daork net> Subject: Re: two interfaces one subnet To: nanog list <nanog () nanog org> Message-ID: <24F5463D-C5B0-46BD-AB6A-1C376BE742EF () daork net> Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes On 12/05/2009, at 9:00 AM, Charles Wyble wrote:
What does two interfaces in one subnet mean? Two NICs? Or virtual interfaces?
Also, what does one subnet mean? A. Using the same IP prefix on two different networks (ie. ethernet broadcast domains) with an interface in to each, or B. running two interfaces in to the same network (ie. ethernet broadcast domain). In the case of A, are you re-using numbers on each side? In the case of B, are you wanting both interfaces to have the same number(s)? -- Nathan Ward ------------------------------ Message: 3 Date: Tue, 12 May 2009 00:13:19 +0200 From: Arnold Nipper <arnold () nipper de> Subject: Re: two interfaces one subnet To: "Patrick W. Gilmore" <patrick () ianai net> Cc: NANOG list <nanog () nanog org> Message-ID: <4A08A2FF.4040306 () nipper de> Content-Type: text/plain; charset="iso-8859-1" On 11.05.2009 23:47 Patrick W. Gilmore wrote
On May 11, 2009, at 5:19 PM, Alex H. Ryu wrote:It may be allowed from host-level, but from router equipment, I don't think it was allowed at all.Ever used HSRP / VRRP? Two interfaces in the same subnet. Works fine. In fact, most people think it works _better_ than one interface in the same subnet.
I guess you are mixing interfaces with IPs now. Don't you? Arnold -- Arnold Nipper / nIPper consulting, Sandhausen, Germany email: arnold () nipper de phone: +49 6224 9259 299 mobile: +49 172 2650958 fax: +49 6224 9259 333 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://mailman.nanog.org/mailman/nanog/attachments/20090512/572650ee/attachment-0001.pgp ------------------------------ Message: 4 Date: Mon, 11 May 2009 18:16:22 -0400 From: "Patrick W. Gilmore" <patrick () ianai net> Subject: Re: two interfaces one subnet To: North American Network Operators Group <nanog () nanog org> Message-ID: <1AE0407D-4A99-41B9-820D-11EF2A27A739 () ianai net> Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes On May 11, 2009, at 5:59 PM, Chris Meidinger wrote:
Just to restate here, for people who have been responding both publicly and privately: I know that *I* can make it work, and I know that *you* can make it work. But I also know that it's not likely to stay working. One day, down the road, something will break. Then, my poor support team will spend days trying to diagnose the problem.
Could you show me a network configuration that does not qualify for that last sentence? Or for that matter, _anything_ related to ... well, anything? -- TTFN, patrick ------------------------------ Message: 5 Date: Mon, 11 May 2009 18:25:02 -0400 From: "Patrick W. Gilmore" <patrick () ianai net> Subject: Re: two interfaces one subnet To: NANOG list <nanog () nanog org> Message-ID: <D4566287-AA45-450E-BA7F-A7626C971A3F () ianai net> Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes On May 11, 2009, at 6:13 PM, Arnold Nipper wrote:
On 11.05.2009 23:47 Patrick W. Gilmore wroteOn May 11, 2009, at 5:19 PM, Alex H. Ryu wrote:It may be allowed from host-level, but from router equipment, I don't think it was allowed at all.Ever used HSRP / VRRP? Two interfaces in the same subnet. Works fine. In fact, most people think it works _better_ than one interface in the same subnet.I guess you are mixing interfaces with IPs now. Don't you?
Each interface has its own IP address. The two Interfaces _also_ share a virtual IP address. IOW: No. Are you? -- TTFN, patrick ------------------------------ Message: 6 Date: Mon, 11 May 2009 15:27:13 -0700 From: "Holmes,David A" <dholmes () mwdh2o com> Subject: RE: two interfaces one subnet To: "Chris Meidinger" <cmeidinger () sendmail com> Cc: nanog () nanog org Message-ID: <485ED9BA02629E4BBBA53AC892EDA50E08E2D64D () usmsxt104 mwd.h2o> Content-Type: text/plain; charset="us-ascii" I think the idea of one interface per subnet originates in the early RFCs, such as RFC 1009 "Requirements for Internet Gateways": "Section 1.1.2 Networks and Gateways ... A gateway is connected to two or more networks, appearing to each of these networks as a connected host. Thus, it has a physical interface and an IP address on each of the connected networks ... " So by using singular terminology ( "a connected host", "a physical interface", "an IP address") instead of plural, a single interface per subnet for gateways (read routers) is implied. This is not to say that it will not work, at least on servers. Standards aside, a good reason why this is not a best practice is the concept of asynchronous routing where a packet arrives on one interface, and the reply leaves on the other interface with a different source IP on the reply. Most firewalls will reject packets such as this. -----Original Message----- From: Chris Meidinger [mailto:cmeidinger () sendmail com] Sent: Monday, May 11, 2009 1:29 PM To: nanog () nanog org Subject: two interfaces one subnet Hi, This is a pretty moronic question, but I've been searching RFC's on- and-off for a couple of weeks and can't find an answer. So I'm hoping someone here will know it offhand. I've been looking through RFC's trying to find a clear statement that having two interfaces in the same subnet does not work, but can't find it that statement anywhere. The OS in this case is Linux. I know it can be done with clever routing and prioritization and such, but this has to do with vanilla config, just setting up two interfaces in one network. I would be grateful for a pointer to such an RFC statement, assuming it exists. Thanks! Chris ------------------------------ Message: 7 Date: Tue, 12 May 2009 00:35:20 +0200 From: Arnold Nipper <arnold () nipper de> Subject: Re: two interfaces one subnet To: NANOG list <nanog () nanog org> Message-ID: <4A08A828.4040104 () nipper de> Content-Type: text/plain; charset="iso-8859-1" On 12.05.2009 00:25 Patrick W. Gilmore wrote
On May 11, 2009, at 6:13 PM, Arnold Nipper wrote:On 11.05.2009 23:47 Patrick W. Gilmore wroteOn May 11, 2009, at 5:19 PM, Alex H. Ryu wrote:It may be allowed from host-level, but from router equipment, I don't think it was allowed at all.Ever used HSRP / VRRP? Two interfaces in the same subnet. Works fine. In fact, most people think it works _better_ than one interface in the same subnet.I guess you are mixing interfaces with IPs now. Don't you?Each interface has its own IP address. The two Interfaces _also_ share a virtual IP address. IOW: No. Are you?
But still each device only has _one_ interface in the same subnet. Though with two IP addresses sometimes. Arnold -- Arnold Nipper / nIPper consulting, Sandhausen, Germany email: arnold () nipper de phone: +49 6224 9259 299 mobile: +49 172 2650958 fax: +49 6224 9259 333 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature Url : http://mailman.nanog.org/mailman/nanog/attachments/20090512/676b9522/attachment-0001.pgp ------------------------------ Message: 8 Date: Mon, 11 May 2009 18:37:42 -0400 From: "Patrick W. Gilmore" <patrick () ianai net> Subject: Re: two interfaces one subnet To: Arnold Nipper <arnold () nipper de> Cc: NANOG list <nanog () nanog org> Message-ID: <F4DB2CCA-8B27-4A68-A7D3-49B7F5DB0008 () ianai net> Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes On May 11, 2009, at 6:35 PM, Arnold Nipper wrote:
On 12.05.2009 00:25 Patrick W. Gilmore wroteOn May 11, 2009, at 6:13 PM, Arnold Nipper wrote:On 11.05.2009 23:47 Patrick W. Gilmore wroteOn May 11, 2009, at 5:19 PM, Alex H. Ryu wrote:It may be allowed from host-level, but from router equipment, I don't think it was allowed at all.Ever used HSRP / VRRP? Two interfaces in the same subnet. Works fine. In fact, most people think it works _better_ than one interface in the same subnet.I guess you are mixing interfaces with IPs now. Don't you?Each interface has its own IP address. The two Interfaces _also_ share a virtual IP address. IOW: No. Are you?But still each device only has _one_ interface in the same subnet. Though with two IP addresses sometimes.
Of course, was thinking about using it on the same router. But I guess that doesn't work so well, does it? :) -- TTFN, patrick ------------------------------ Message: 9 Date: Mon, 11 May 2009 18:29:08 -0500 From: Chris Adams <cmadams () hiwaay net> Subject: Re: two interfaces one subnet To: nanog () nanog org Message-ID: <20090511232908.GB622256 () hiwaay net> Content-Type: text/plain; charset=us-ascii Once upon a time, Kevin Oberman <oberman () es net> said:
From: Chris Meidinger <cmeidinger () sendmail com> For example, eth0 is 10.0.0.1/24 and eth1 is 10.0.0.2/24, nothing like bonding going on. The customers usually have the idea of running one interface for administration and another for production (which is a _good_ idea) but they want to do it in the same subnet (not such a good idea...)This will not work right. One interface can be 10.0.0.1/24, but any added interfaces would need to be /32 (10.0.0.2/32).
I don't know which OS(es) you are using, but that's not true in Linux. I see this all the time at home; if I plug my notebook into the wired LAN and still have the wireless enabled, both will get an IP (in the same subnet) from DHCP. The wired link is the preferred default route by default, but you can easily set up routes for some networks via the wireless link. You can also set up multipath routing to send packets out both links. I think you can also use IP policy routing to control the choice of outbound interface by rule (e.g. based on source address). -- Chris Adams <cmadams () hiwaay net> Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble. ------------------------------ Message: 10 Date: Mon, 11 May 2009 16:47:50 -0700 From: "Kevin Oberman" <oberman () es net> Subject: Re: two interfaces one subnet To: Chris Adams <cmadams () hiwaay net> Cc: nanog () nanog org Message-ID: <20090511234750.2804A1CC0B () ptavv es net>
Date: Mon, 11 May 2009 18:29:08 -0500 From: Chris Adams <cmadams () hiwaay net> Once upon a time, Kevin Oberman <oberman () es net> said:From: Chris Meidinger <cmeidinger () sendmail com> For example, eth0 is 10.0.0.1/24 and eth1 is 10.0.0.2/24, nothing like bonding going on. The customers usually have the idea of running one interface for administration and another for production (which is a _good_ idea) but they want to do it in the same subnet (not such a good idea...)This will not work right. One interface can be 10.0.0.1/24, but any added interfaces would need to be /32 (10.0.0.2/32).I don't know which OS(es) you are using, but that's not true in Linux. I see this all the time at home; if I plug my notebook into the wired LAN and still have the wireless enabled, both will get an IP (in the same subnet) from DHCP. The wired link is the preferred default route by default, but you can easily set up routes for some networks via the wireless link. You can also set up multipath routing to send packets out both links. I think you can also use IP policy routing to control the choice of outbound interface by rule (e.g. based on source address).
This is true if you are using the WPA supplicant. It does a bit of magic. (You can do the magic by hand without the supplicant, but it is a pain or was the last time I tried.) -- R. Kevin Oberman, Network Engineer Energy Sciences Network (ESnet) Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab) E-mail: oberman () es net Phone: +1 510 486-8634 Key fingerprint:059B 2DDF 031C 9BA3 14A4 EADA 927D EBB3 987B 3751 ------------------------------ Message: 11 Date: Mon, 11 May 2009 20:04:27 -0400 From: Ben Scott <mailvortex () gmail com> Subject: Re: two interfaces one subnet To: NANOG list <nanog () nanog org> Message-ID: <59f980d60905111704x8b5610u35d790668cf68022 () mail gmail com> Content-Type: text/plain; charset=ISO-8859-1 On Mon, May 11, 2009 at 6:01 PM, Patrick W. Gilmore <patrick () ianai net> wrote:
You are assuming facts not in evidence.
I *have* actually done this before, so I'd like to think, for my own purposes at least, my experiences are factual. :)
It doesn't matter which physical interface transmits the packet.
Well, in the general sense, I suppose not. The computer can put whatever it wants in an Ethernet frame, and as long as it's valid for the receiving system, it will work. But in the Linux IP stack, at least, and by default, the physical interface used to send a datagram is determined by the route selected, and that also determines the source IP address put on the datagram. At the same time, the only thing which influences route selection is the destination IP address. In particular, there's no concept of "session" or "connection" in that. So client X attempts to open a TCP connection to IP address B on my example server. When the server sends its SYN-ACK response, it doesn't pay attention to the fact that the connection "came in on" B. It just looks at destination X. If it decides A is the best route, then the SYN-ACK datagram will have source IP address A. But X is looking for a datagram from A. The datagram from B will get to X, but X will promptly drop it, as it's not expecting anything from B. Again, this is all by default. If you configure policy routing properly, many things can be made to work.
Another example: Imagine a web server with two uplinks in _different_ subnets running Quagga.
That's a different scenario entirely. Diverse routes work fine because all the intermediate routers work the same way I describe above: They don't care where the packet came from, they don't know about "connections", they just forward packets to the destination. If the actual interface went down, you can bet that the HTTP request in progress will be killed, because the TCP session is dependent on an IP address that just evaporated. :) -- Ben ------------------------------ _______________________________________________ NANOG mailing list NANOG () nanog org http://mailman.nanog.org/mailman/listinfo/nanog End of NANOG Digest, Vol 16, Issue 43 *************************************
Current thread:
- Can Interdomain routing[BGP] self recover from prefix hijack? Akmal Shahbaz (May 11)