Re: IRR Mandatory at MICE / New Route Servers
This is the current cutover plan: Phase 1: On Tuesday, May 23, starting around 10:00 AM US/Central, we will upgrade route server 1. It will enforce the IRR as-set requirement for transit ASes, but will NOT enforce the IRR prefix requirement. Since route server 2 will still exist, even the as-set requirement is only a soft requirement. Phase 2: On Wednesday, May 31, starting around 10:00 AM US/Central, we will upgrade route server 2. It will be fully enforcing. At that point, the as-set requirement will be a hard requirement. The prefix IRR requirement will still be a soft requirement, as route server 1 will still not be enforcing. Phase 3: Tentatively, on Wednesday, June 7, starting around 10:00 AM US/Central, we will configure route server 1 to be fully enforcing. At that point, all IRR requirements will hard requirements. This date is subject to change based on what we see filtered. *We ask that you do /not/ take down your route server BGP sessions for these changes, as that will make it harder for us to know if things are working. If you are going to do so (e.g. because your organization's policies require it), then please let me know so I can expect your session to be down.* -- Richard ######################################################################## To unsubscribe from the MICE-ANNOUNCE list, click the following link: &*TICKET_URL(MICE-ANNOUNCE,SIGNOFF);
On 2023-05-13 02:02, Richard Laager wrote:
This is the current cutover plan:
Phase 1: On Tuesday, May 23, starting around 10:00 AM US/Central, we will upgrade route server 1. It will enforce the IRR as-set requirement for transit ASes, but will NOT enforce the IRR prefix requirement. Since route server 2 will still exist, even the as-set requirement is only a soft requirement.
This work is beginning. -- Richard ######################################################################## To unsubscribe from the MICE-ANNOUNCE list, click the following link: &*TICKET_URL(MICE-ANNOUNCE,SIGNOFF);
Sorry for the delay. I forgot to approve this message. Current status: Things are up. We are still sorting through various sessions that are down to see if anything is wrong on the MICE side. On 2023-05-23 10:21, Richard Laager wrote:
On 2023-05-13 02:02, Richard Laager wrote:
This is the current cutover plan:
Phase 1: On Tuesday, May 23, starting around 10:00 AM US/Central, we will upgrade route server 1. It will enforce the IRR as-set requirement for transit ASes, but will NOT enforce the IRR prefix requirement. Since route server 2 will still exist, even the as-set requirement is only a soft requirement.
This work is beginning.
-- Richard ######################################################################## To unsubscribe from the MICE-ANNOUNCE list, click the following link: &*TICKET_URL(MICE-ANNOUNCE,SIGNOFF);
We are done reviewing. I've sent a few emails to different networks directly. Please check your sessions and let me know if you are seeing something broken that should not be. Please review your routes for filtering: 1. Go to the looking glass: https://ixpmgr.micemn.net/lg 2. IPv4 will be selected by default at the top. 3. Click "Looking Glass" for "Route Server #1 - MICE - IPv4" 4. Find your network. You can use the search box to filter, e.g. by ASN. 5. Click on the number in the State/PfxRcd column. If you do not see that column, either expand your browser window (the scroll bar is not enough for me) or click the blue + icon. 6. That will show you just the prefixes that MICE is receiving from you / that you are announcing to MICE. 7. If any of them show the black ! triangle icon, that is getting filtered /now/ (albeit only on one route server). You should fix that ASAP. 8. For everything else, since the filtering is /not/ currently enforced, there is unfortunately no "at a glance" way to see if anything would be filtered/./ If you click on "Details" for a particular route, you can see its RPKI/IRR status in the "BGP :: Large Communities" section. If you see something in red, that is bad. 9. After checking IPv4, repeat for IPv6. For example, here are my IPv6 routes: https://ixpmgr.micemn.net/lg/rs1-ipv6/routes/protocol/pb_0102_as33362 At the moment, I am announcing a 2600:2600::666/128 that is being filtered. (This is from blackhole testing. Ignore the whole blackhole thing for now, please.) I can see it is filtered from the black ! triangle icon. If I click "Details" for it, I can see the reason for filtering is "PREFIX LENGTH TOO LONG". -- Richard ######################################################################## To unsubscribe from the MICE-ANNOUNCE list, click the following link: &*TICKET_URL(MICE-ANNOUNCE,SIGNOFF);
On 2023-05-13 02:02, Richard Laager wrote:
Phase 2: On Wednesday, May 31, starting around 10:00 AM US/Central, we will upgrade route server 2. It will be fully enforcing. At that point, the as-set requirement will be a hard requirement. The prefix IRR requirement will still be a soft requirement, as route server 1 will still not be enforcing.
This work is about to commence.
Phase 3: Tentatively, on Wednesday, June 7, starting around 10:00 AM US/Central, we will configure route server 1 to be fully enforcing. At that point, all IRR requirements will hard requirements. This date is subject to change based on what we see filtered.
*We ask that you do /not/ take down your route server BGP sessions for these changes, as that will make it harder for us to know if things are working. If you are going to do so (e.g. because your organization's policies require it), then please let me know so I can expect your session to be down.*
-- Richard ######################################################################## To unsubscribe from the MICE-ANNOUNCE list, click the following link: &*TICKET_URL(MICE-ANNOUNCE,SIGNOFF);
We have sent emails to those networks with sessions down on route server 2. The following networks are known to have prefixes filtered on route server 2 by the new IRR filtering. For some of these networks, it is a prefix here or there. For others, it is a significant fraction or all prefixes. AS57: https://ixpmgr.micemn.net/lg/rs2-ipv4/routes/protocol/pb_0030_as57 AS803: https://ixpmgr.micemn.net/lg/rs2-ipv4/routes/protocol/pb_0053_as803 https://ixpmgr.micemn.net/lg/rs2-ipv6/routes/protocol/pb_0053_as803 AS3663: https://ixpmgr.micemn.net/lg/rs2-ipv4/routes/protocol/pb_0161_as3663 AS5056 has too many routes for IPv4 for me to check in the looking glass's web interface. You should probably compare the number of received prefixes to the number you are advertising. If there is a difference and you need help sorting it out, please get in touch. AS6939 has too many routes for IPv4 for me to check in the looking glass's web interface. I assume you know what you're doing, so I am not taking further action. AS11796: https://ixpmgr.micemn.net/lg/rs2-ipv6/routes/protocol/pb_0051_as11796 AS12042: https://ixpmgr.micemn.net/lg/rs2-ipv4/routes/protocol/pb_0062_as12042 https://ixpmgr.micemn.net/lg/rs2-ipv6/routes/protocol/pb_0062_as12042 AS13335: https://ixpmgr.micemn.net/lg/rs2-ipv4/routes/protocol/pb_0078_as13335 https://ixpmgr.micemn.net/lg/rs2-ipv6/routes/protocol/pb_0078_as13335 AS13746: https://ixpmgr.micemn.net/lg/rs2-ipv4/routes/protocol/pb_0111_as13746 AS13767: https://ixpmgr.micemn.net/lg/rs2-ipv4/routes/protocol/pb_0141_as13767 https://ixpmgr.micemn.net/lg/rs2-ipv6/routes/protocol/pb_0141_as13767 AS14230: https://ixpmgr.micemn.net/lg/rs2-ipv4/routes/protocol/pb_0149_as14230 AS14828: https://ixpmgr.micemn.net/lg/rs2-ipv4/routes/protocol/pb_0059_as14828 AS15011: https://ixpmgr.micemn.net/lg/rs2-ipv4/routes/protocol/pb_0075_as15011 AS15169 has too many routes for IPv4 for me to check in the looking glass's web interface. I assume you know what you're doing, so I am not taking further action. AS15250: https://ixpmgr.micemn.net/lg/rs2-ipv4/routes/protocol/pb_0064_as15250 AS16851: https://ixpmgr.micemn.net/lg/rs2-ipv4/routes/protocol/pb_0060_as16851 AS16904: https://ixpmgr.micemn.net/lg/rs2-ipv6/routes/protocol/pb_0033_as16904 AS18451: https://ixpmgr.micemn.net/lg/rs2-ipv4/routes/protocol/pb_0138_as18451 AS18883: https://ixpmgr.micemn.net/lg/rs2-ipv4/routes/protocol/pb_0026_as18883 AS20412: https://ixpmgr.micemn.net/lg/rs2-ipv4/routes/protocol/pb_0073_as20412 AS22402: https://ixpmgr.micemn.net/lg/rs2-ipv4/routes/protocol/pb_0088_as22402 AS25694: https://ixpmgr.micemn.net/lg/rs2-ipv4/routes/protocol/pb_0072_as25694 AS26794: https://ixpmgr.micemn.net/lg/rs2-ipv4/routes/protocol/pb_0048_as26794 https://ixpmgr.micemn.net/lg/rs2-ipv6/routes/protocol/pb_0048_as26794 https://ixpmgr.micemn.net/lg/rs2-ipv4/routes/protocol/pb_0054_as26794 https://ixpmgr.micemn.net/lg/rs2-ipv6/routes/protocol/pb_0054_as26794 AS27204: https://ixpmgr.micemn.net/lg/rs2-ipv4/routes/protocol/pb_0095_as27204 AS31834: https://ixpmgr.micemn.net/lg/rs2-ipv4/routes/protocol/pb_0152_as31834 AS32097: https://ixpmgr.micemn.net/lg/rs2-ipv4/routes/protocol/pb_0020_as32097 AS40160: https://ixpmgr.micemn.net/lg/rs2-ipv4/routes/protocol/pb_0183_as40160 AS46692: https://ixpmgr.micemn.net/lg/rs2-ipv4/routes/protocol/pb_0118_as46692 AS53597: https://ixpmgr.micemn.net/lg/rs2-ipv4/routes/protocol/pb_0122_as53597 https://ixpmgr.micemn.net/lg/rs2-ipv6/routes/protocol/pb_0122_as53597 AS54578: https://ixpmgr.micemn.net/lg/rs2-ipv4/routes/protocol/pb_0105_as54578 AS55043: https://ixpmgr.micemn.net/lg/rs2-ipv4/routes/protocol/pb_0084_as55043 AS64227: https://ixpmgr.micemn.net/lg/rs2-ipv4/routes/protocol/pb_0093_as64227 AS396410: https://ixpmgr.micemn.net/lg/rs2-ipv4/routes/protocol/pb_0063_as396410 -- Richard ######################################################################## To unsubscribe from the MICE-ANNOUNCE list, click the following link: &*TICKET_URL(MICE-ANNOUNCE,SIGNOFF);
It turns out I made an error in the IRR prefix enforcement. So while we were enforcing the as-set requirement as intended, we were /not/ enforcing the route object requirement on rs2. Accordingly, I did /not/ make that enforcing on rs1 today as scheduled. Instead, I corrected it on rs2 and will wait another week before making it enforced on rs1. I have separately emailed everyone who has prefixes being filtered. -- Richard ######################################################################## To unsubscribe from the MICE-ANNOUNCE list, click the following link: &*TICKET_URL(MICE-ANNOUNCE,SIGNOFF);
participants (1)
-
Richard Laager