Re: verio arrogance

[Jared Mauch <jared () puck Nether net>]

On Thu, Jul 18, 2002 at 11:54:30PM -0400, David Diaz wrote:
> Is there any need to keep the routing table to a smaller size.  Since 
> in theory, it creates suboptimal routing. And considering the new 
> routers out there today should be able to handle it.  Considering 
> verio is using junipers, and they pride themselves on handling a 
> tremendously large table.  Why should we shoot for a 100,000 route 
> table instead of 500,000 if it does not impact performance?

        When you are talking about BGP reconvergance when a router
crashes (oh wait, they would never crash ;-) or is upgraded it takes
a lot longer to advertize 500k routes than 100k routes.  Even
with a really-fast processor it obviously takes more time to do
route lookup in doing best-path computations with 100+ ibgp
peers.

        Then you start to talk about the memory footprint of 500k
prefixes, once you start to include received-side communities
as well as your new communities you've tagged on.  With
route-refresh it's not that bad, but with soft-reconfiguration enabled
it may cause a bit more memory to be used.

> I do understand that the 100,000 might be that actual 'installed best 
> routes' and that the routers might in fact be dealing with a much 
> larger route table.  That might be an issue.  But certainly 100,000- 
> 500,000 installed routes, is that a problem for large backbones with 
> high end routers?

        If you venture a guess and say that most "large" networks
originate about 5% of the 100k prefixes must be advertized (see
peering discussion about minimum routes to advertize awhile back)
that numer of prefixes is increased to 25k prefixes.  Then if you
prefix-filter your customers, you're talking about 5X increased
nvram/config requirements.

> My only consideration might be the small multihomed ISPs with 2-3 
> providers with full BGP feeds and cisco 4000s (256meg ram).  I saw 
> one last week.  I might be concerned at that level.

        "back in the day when full routes would fit in 64m ram".
obviously the smaller providers have a bit more of a challenge as
they tend to not have support contracts, and it can be a bit
tougher to justify router memory.

> I'd love to hear feedback.  It would then justify filtering...or not.

        Think about the "7007" and other cases whereby someone
announces a large set of routes they should not be.

        There have been numerous cases of this in the past and as
a long as it's possible to easily leak routes incorrectly due to
not filtering customers closely, etc.. it will continue to happen.

        - jared

> David
>
>
>
>
> At 21:37 -0400 7/18/02, Phil Rosenthal wrote:
> > How is it arrogant?
> > I read that as: a customer set up an exploitable FormMail.  Verio
> > received notice about it. Verio removed the FormMail in question. Verio
> > asked to be removed since they corrected the problem. Verio was ignored.
> >
> > Verio may have some problems with not terminating spammers, and I
> > believe this to be the truth -- I buy from verio, and Don't spam, and
> > whenever one of my clients spam, they get terminated for it.  I receive
> > plenty of spam from verio ips, and no matter how much I complain, it
> > never gets terminated.  This is probably a scenario of asking sales rep
> > "If I want to spam, but I pay more per meg -- Is this OK?"  and getting
> > a positive answer.
> >
> > That is why the NANAE people don't like verio.  But, nonetheless, I
> > don't think that putting verio's mailserver on a formmail list is
> > accomplishing anything good, since they fixed THAT problem...
> >
> > --Phil
> >
> > -----Original Message-----
> > From: owner-nanog () merit edu [mailto:owner-nanog () merit edu] On Behalf Of
> > Kai Schlichting
> > Sent: Thursday, July 18, 2002 6:37 PM
> > To: nanog () merit edu
> > Cc: Kai Schlichting
> > Subject: Re: verio arrogance
> >
> >
> >
> > How's THIS for Verio arrogance, going to a whole new level:
> >
> > http://www.monkeys.com/anti-spam/filtering/verio-demand.ps
> >
> > Details were on the SPAM-L list Wed, 17 Jul 2002  15:51:05 EDT: Verio
> > threatens to sue Ron Guilmette over the IP 208.55.91.59 appearing on his
> > FormMail.pl open-proxy/formmail server DNSBL.
> >
> > And given the ever-increasing number of spammers now hopping onto Verio
> > tells me that Verio must be well down the spiral of death (spammers seem
> > to be attracted by NSP's going chapter 7/11, or who are getting close),
> > or else the dozen-or-so automated messages going to abuse () verio net
> > every week complaining about connections (real or attempted) to hosts
> > under my control, and originating from their spamming customers would
> > have shown any results over time.
> >
> > I don't need connectivity to 208.55.0.0/16. I really don't, and I have
> > not the slightest tolerance for litigious, small-minded,
> > panic-lawyer-dialling scum like this.
> >
> > /etc/mail$ grep 208.55 access.local
> > 208.55                  550 Access for FormMail spam and litigious scum
> > denied - XXXX Verio in their XXXXXXXX XXX - we block more than just
> > 208.55.91.59 - Spammers must die - see
> > http://www.monkeys.com/anti-spam/filtering/verio-demand.ps
> > /etc/mail$
> >
> > PS: I also have zero tolerance for Nadine-type spam-generating,
> > "single-opt-in",
> >  "87% permission-based" emailers nowadays: 2 bounces or a single mail
> > to a
> >   never-existing account, and all your /24's are off into gated.conf as
> > a
> >   next-hop route to 127.0.0.1. And no, they won't get around that by
> > advertising
> >   /25's.
> >
> > Good-bye route-prefix-filtering wars, and welcome to the war on spam,
> > where Null0'd /28's for filtering 'undesirables' just doesn't cut it any
> > more. Casualties like 10-15 bystanding rackspace.com customers with a
> > "Nadine- type" mailer in neighboring IP space be damned: "move your
> > servers into a different slum, cause da landlord's running down 'da
> > neighborhood".
> >
> > --
> > "Just say No" to Spam                                     Kai
> > Schlichting
> > New York, Palo Alto, You name it             Sophisticated Technical
> > Peon
> > Kai's SpamShield <tm> is FREE!
> > http://www.SpamShield.org
> > |
> > | |
> > LeasedLines-FrameRelay-IPLs-ISDN-PPP-Cisco-Consulting-VoiceFax-Data-Muxe
> > s
> > WorldWideWebAnything-Intranets-NetAdmin-UnixAdmin-Security-ReallyHardMat
> > h
>
> -- 
>
> David Diaz
> dave () smoton net [Email]
> pagedave () smoton net [Pager]
> Smotons (Smart Photons) trump dumb photons

-- 
Jared Mauch  | pgp key available via finger from jared () puck nether net
clue++;      | http://puck.nether.net/~jared/  My statements are only mine.