nanog mailing list archives

Previous By Date Next
Previous By Thread Next

[Fwd: Re: Peering LSR Violation]

From: Rick Irving <rirving () onecall net>
Date: Fri, 29 Jun 2001 13:19:31 -0500



-------- Original Message --------
Subject: Re: Peering LSR Violation
Date: Fri, 29 Jun 2001 11:07:58 -0700
From: Doug Junkins <junkins () orcasisland verio net>
To: Rick Irving <rirving () onecall net>
CC: Dorian Kim <dorian () verio net>, peering () verio net,
peering () onecall net
References: <AEEPICGDOHNHFODBPFCLOEHBCPAA.tfrancis () verio net>
<3B3B8688.9933F73 () onecall net> <20010628184256.D15999 () blackrose org>
<3B3CC0E6.63BFBDB9 () onecall net>

Rick,

Please accept this as 30-days notice that Verio will turn down
peering
with OneCall unless LSR is permanently enabled on on the peering
routers
that border Verio.  I'm sorry if your interpretation of the
requirement
in our peering policy is different than ours, but the following
clause
is clear:

    Verio reserves the right to not peer with anyone as Verio sees
fit and
    to terminate any peering at any time with 30 days notice.

Warm Regards,

-Doug Junkins
 VP, IP Engineering
 Verio, Inc.

On Fri, Jun 29, 2001 at 12:54:46PM -0500, Rick Irving wrote:

Dorian Kim wrote:


On Thu, Jun 28, 2001 at 02:33:28PM -0500, Rick Irving wrote:

Rather than tell me -your- conclusion, why don't you tell
me what you are trying to achieve ?


LSR is an important tool for us, both for diagnostics and for verification
of certain peer checks.


  This is a generic smoke screen, I need specifics.

  There aren't many things LSR provides that cannot be provided in
another fashion, with cooperation.

And, FWIW, with less security risks.

  www.onecall.net has interior -traceroute- pages to provide the
probable services you are attempting to acquire. (See diagnostics)


"Verio requires that peers permit LSR, loose source routing, at least
    at the routers bordering the peering."


FWIW, we -do- permit LSR....  We turn -on- LSR by request.... 
then turn it -off- , when the diagnostic phase is complete.
My NOC -is- staffed 24x7 to respond to such needs.

Otherwise, LSR is inherently too insecure to -leave- enabled,
so we have to permit it on a case-by-case, instance by instance,
basis.


This has also been an explicit part of our peering
policy as long as Verio has had a peering policy.


   Randy Bush also thought the best solution to bandwidth and
routing 
was to buy MCI, UU, and SPRINT instead of peering, at one time.

  You know, in -his- case he may have been right. ;)

  (Just kidding, Randy... smile. :)

 However, We all learn.
 
 Like I said, perhaps you should tell me your goals, 
rather than your conclusion. I think we could plumb 
an appropriate solution.

BTW: In addition to the Record Route header options you appear to
desire,
I'll leave you with Cisco's enigmatic LSR definition:

=================================================================================
Loose Source Routing 
   Allows you to specify a list of nodes that must be traversed when
going to the
   destination. 
=================================================================================


We are simply attempt to get you to turn on LSR at the border routers
as you've agreed to when you agreed to our peering policy.


 We will. 

 Please schedule a time, and limited duration, that a tech on my
side
 can work with a tech on your side,  so we can assist you in running
your diagnostics.

  Thanks in advance.



Regards,

-dorian


You are aware that Loose Source Routing is a security risk, correct
?

Or, are you simply trying to "record route", and can't get something
back
... And your response is to "Inform me" of your policy?


Teri Francis wrote:


Onecall is currently in violation of Verio's peering agreement. Under
the "Technical Policy" section of our peering agreement it states,

   "Verio requires that peers permit LSR, loose source routing, at least
    at the routers bordering the peering."

Please enable LSR on the routers we are peering with.

Our peering policy has also been updated. Please acknowledge your receipt
of this agreement and your compliance of the policy. Please also include the
entire text of the agreement in your reply.

This notice will serve as a 30 day notice to depeer should we not
receive a response from you.

Regards,

Verio Peering

----Verio Peering agreement-----

Technical  : for all trouble and problems with established peers
Problems     noc () verio net  +1 888 598-3746 or +1 214 290-8545

Abuse/SPAM : SPAM and similar abuses
             abuse () verio net

Security   : for all other security-related issues
             security () verio net

Peering    : for negotiations of changes in peering points etc
             peering () verio net
             do NOT send to this address for technical problems with
             existing circuits

---

AS               : 2914
AS-macro         : AS-VERIO
Equinix-Ashburn  : 206.223.115.12   r00.asbnva01 GigE
MAE-East         : 192.41.177.121   r00.mclnva01 Vienna FDDI [0]
                   192.41.177.196   r01.mclnva01 Vienna FDDI [0]
                   198.32.187.223   r00.mclnva01 VPI/VCI:0/323 aal5snap [1]
                                                 CID: 0281b81b0052
MAE-West         : 198.32.136.80    r00.snjsca01 San Jose FDDI [2]
                   198.32.136.126   r01.snjsca01 San Jose FDDI [2]
                   198.32.200.80    r00.snjsca01 VPI/VCI:0/107 aal5snap [1]
                                                 CID: wz898473ip80
NASA-Ames        : 198.32.136.89    r00.mtvwca02 Sunnyvale FDDI [2]
PAIX             : 198.32.176.14    r06.plalca01 GigE
                   198.32.176.47    r05.plalca01 GigE
AADS             : 206.220.243.34   r00.chcgil01 VPI/VCI:3/40 aal5snap
LINX             : 195.66.224.138   r00.londen02 100baseT [3]
                   195.66.224.139   r01.londen02 100baseT [3]
Xchangepoint UK  : 217.79.160.10    r00.londen02 GigE [3]
                   217.79.161.10    r01.londen02 GigE [3]

[0] - Due to the impending terminatation of FDDI services at MAE-East,
      Verio is not adding new peers to our FDDI connections.

[1] - Verio is only provisioning AAL5 best-effort PVCs via WorldCom's
      Peermaker for MAE-ATM.  No guaranteed bandwidth PVCs will be
      accepted.

[2] - Please peer with MFS-West or Ames only in the same location.  Do not
      use the overburdened inter-site links.

[3] - Verio is currently testing prefix filtering based on IRR entries on
      our LINX and Xchangepoint connections.  You will need to provide
      Verio the name of your AS-set in the IRR that descibes the set of
      routes you will be announcing.  Verio currently accepts the following
      route registries: RADB, RIPE, ALTDB, ARCSTAR and CW[4].
      Peering filters will be updated each day automatically at 0100 UTC and
      loaded on the routers at 0400 UTC.  Contact noc () verio net for
technical
      problems with prefix filters.  These prefix filters do not replace or
      supercede our normal peering filters as described at:

           "http://info.us.bb.verio.net/routing.html#PeerFilter";.

[4] - Please note that due to problems mirroring RIPE 181 database, we are
      likely to phase out support for CW routing registry in the next few
      months unless CW upgrades their routing registry to be RPSL compliant
      and improves their reliability.

---

To initiate peering, you need to send email agreeing to the following:

General policy for public peering

    The Verio backbone peers with other transit ISPs, and only at the global
    exchange points to which the Verio backbone is connected.

    Verio does not peer with any ISP which is a Verio transit customer.

    In the United States, peering must be at least on both coasts, or one
    coast and Europe, with the peer having sufficient connectivity between
    points to support closest exit routing.

    In Europe, one peering is sufficient for now.  Verio may choose to
    announce the same routes in Europe as the States, but Verio reserves the
    right to announce only that subset of our routes which are local.  Of
    course, peer may choose to do either.

    Peer agrees to peer locally with Verio at any non-US peering points at
    which both appear.

    Peer is responsible for keeping Verio informed of their current contact
    information.  Please send infomation and updates to:
       peering () verio net
       noc () verio net

Technical Policy:

    Verio requires all BGP sessions have MD5 signature configured.

    Verio requires that peers permit LSR, loose source routing, at least at
    the routers bordering the peering.

    Verio requires that peers announce the same routing policy at all points
    where they peer with Verio.

    Peers are encouraged to, have NOCs with email addresses, phone numbers,
    and 24x7 coverage.

    Peers must agree to actively cooperate chasing security violations,
    denial of service attacks, and similar incidents.

    Peers must agree to actively respond to all technical issues within 48
    hours.  Non-response may result in depeering and other attention-getting
    mechanisms.

    Peers must not abuse the peering relationship by doing any of the
    following non exhaustive list: pointing default, resetting next hop,
    selling or giving next hop to others, etc.

    Verio reserves the right to not peer with anyone as Verio sees fit and
    to terminate any peering at any time with 30 days notice.

    Verio reserves the right to change this peering policy with 30 days
    notice.

01-JUN-2001
Previous By Date Next
Previous By Thread Next

Current thread: