Re: Internet routing table "completeness" monitoring?

["Justin M. Streiner" <streiner () cluebyfour org>]

On Wed, 3 Oct 2012, Christopher Morrow wrote:

> is a threshold helpful here? (well, it's helpful to a point at least)
> what if your neighbour starts deaggragating (or sending you their
> internal deaggragates) in place of 50k real routes? no alarm, no
> 'change' from a numbers perspective, but certainly a traffic shift and
> reach-ability change :(

As long as you have some control over the number of polling intervals 
between the detection of a noteworthy change and sending an alarm. 
Otherwise, there is a real danger of your NOC having to investigate a lot 
of noisy alerts.  If that persists for too long, the NOC will grow tired 
of responding to these alerts, and send them all to the bit bucket, or 
implement their own polling thresholds that meet their needs more 
effectively.

If a network you have no business relationship with and several AS hops 
away from you goes away, how much effort do you want to expend 
investigating that?  That probably depends on your customers.  If you see 
a few hundred routes disappear and determine them to be for an ISP on the 
other side of the planet, that's one thing.  If your view of something 
like Google or Facebook suddenly disappears, that could be another thing 
entirely ;)

> Isn't a speed-of-change threshold also interesting here?

+1 on that :)

jms