Some leaks in China/Hongkong

Bernhard Schmidt berni at birkenwald.de
Sun Oct 26 14:17:53 CET 2008 

Hello everyone,

I had a very unpleasant experience when I looked at my RTT monitoring
this morning.

a) 

bschmidt at lxbsc01:~$ traceroute6 -q1 2001:470:0:69::2
traceroute to 2001:470:0:69::2 (2001:470:0:69::2) from 2001:4ca0:0:f000:211:43ff:fe7e:3a76, port 33434, from port 36641, 30 hops max, 60 bytepackets
 1  vl-23.csr1-2wr.lrz-muenchen.de (2001:4ca0:0:f000::1)  0.374 ms
 2  xr-gar1-te1-3-108.x-win.dfn.de (2001:638:c:a003::1)  0.441 ms
 3  2001:638:c:c043::2 (2001:638:c:c043::2)  8.484 ms
 4  dfn.rt1.fra.de.geant2.net (2001:798:14:10aa::1)  7.879 ms
 5  abilene-wash-gw.rt1.fra.de.geant2.net (2001:798:14:10aa::12)  100.643 ms
 6  so-0-2-0.0.rtr.chic.net.internet2.edu (2001:468:ff:209::2)  117.230 ms
 7  so-4-3-0.rtr.kans.net.internet2.edu (2001:468:ff:204:8000::2)  127.967 ms
 8  so-0-0-0.0.rtr.salt.net.internet2.edu (2001:468:ff:407::2)  181.439 ms
 9  so-0-0-0.0.rtr.seat.net.internet2.edu (2001:468:ff:716::1)  181.476 ms
10  kreonet-1-lo-jmb-706.sttlwa.pacificwave.net (2001:504:b:10::6)  169.102 ms
11  2001:320:1b00:1::1 (2001:320:1b00:1::1)  283.341 ms
12  hurricaneelectric-RGE.hkix.net (2001:7fa:0:1::ca28:a19e)  327.876 ms
13  v1026.core1.sjc1.he.net (2001:470:0:c3::1)  331.108 ms
14  10gigabitethernet2-1.core1.sjc2.he.net (2001:470:0:55::2)  327.817 ms
15  10gigabitethernet1-3.core1.nyc4.he.net (2001:470:0:33::2)  327.861 ms
16  10gigabitethernet1-2.core1.lon1.he.net (2001:470:0:3e::2)  327.785 ms
17  10gigabitethernet1-1.core1.ams1.he.net (2001:470:0:3f::2)  327.827 ms
18  10gigabitethernet1-1.core1.fra1.he.net (2001:470:0:47::2)  327.742 ms
19  1g-bge0.tserv6.fra1.ipv6.he.net (2001:470:0:69::2)  328.126 ms

  680 20965 11537 17579 4635 6939
    2001:638:C:A003::1 from 2001:638:C:A003::1 (188.1.200.38)
      Origin IGP, localpref 90, valid, external, best
      Community: 680:77 11537:2501 12816:2100 12816:2110 20965:11537

This, apparently new or newly leaking, peering between AS4635 and AS6939
affects about 200 prefixes that are detoured through Hongkong for all
users behind 20965 (the european REN, comparable to I2) or 11537 (I2).
So, I guess, a not-too-small two-digit slice of the current IPv6 users.

b)

bschmidt at lxbsc01:~$ traceroute6 -q1 ipv6.google.com
traceroute to ipv6.google.com (2001:4860:0:1001::68) from 2001:4ca0:0:f000:211:43ff:fe7e:3a76, port 33434, from port 34321, 30 hops max, 60 byte packets
 1  vl-23.csr1-2wr.lrz-muenchen.de (2001:4ca0:0:f000::1)  0.384 ms
 2  xr-gar1-te1-3-108.x-win.dfn.de (2001:638:c:a003::1)  0.482 ms
 3  2001:638:c:c043::2 (2001:638:c:c043::2)  8.283 ms
 4  dfn.rt1.fra.de.geant2.net (2001:798:14:10aa::1)  7.876 ms
 5  abilene-wash-gw.rt1.fra.de.geant2.net (2001:798:14:10aa::12)  100.596 ms
 6  so-0-2-0.0.rtr.chic.net.internet2.edu (2001:468:ff:209::2)  117.203 ms
 7  so-4-3-0.rtr.kans.net.internet2.edu (2001:468:ff:204:8000::2)  127.765 ms
 8  so-0-0-0.0.rtr.salt.net.internet2.edu (2001:468:ff:407::2)  181.408 ms
 9  so-0-0-0.0.rtr.seat.net.internet2.edu (2001:468:ff:716::1)  181.495 ms
10  kreonet-1-lo-jmb-706.sttlwa.pacificwave.net (2001:504:b:10::6)  169.117 ms
11  2001:320:1b00:1::1 (2001:320:1b00:1::1)  283.376 ms
12  2001:320:8300:30::11 (2001:320:8300:30::11)  274.199 ms
13  2001:252:0:101::2 (2001:252:0:101::2)  300.406 ms
14  *
15  *
16  2001:4860:0:1001::68 (2001:4860:0:1001::68)  348.676 ms

  680 20965 11537 17579 23911 15169, (aggregated by 15169 64.233.175.244)
    2001:638:C:A003::1 from 2001:638:C:A003::1 (188.1.200.38)
      Origin IGP, localpref 90, valid, external, best
      Community: 680:77 11537:2501 12816:2100 12816:2110 20965:11537

again, affects all users in GEANT2 and I2. 

AS4635 has a very bad reputation regarding leaking fulltables where they
don't belong, AS17579 has not been a saint either. Additionally, these
problems are very much amplified by the current policy of most RENs to
prefer (through localpref) their fellow RENs and tag their prefixes
accordingly. As soon as someone does this on an unfiltered link, as
Abilene does for Kreonet, it creates havoc.

In this case, 680 has direct peering with both 6939 and 15169, so I
would not have seen anything without these localpref games. And both
GEANT2 and I2 should see 6939 and 15169 through at most one transit ASN.

No wonder people are reluctant to use IPv6 for serious production use if
we can't fix those problems for good. Thankfully I could fix it for our
users by depreffing those paths and switching to our commercial (backup)
transit, but that's far from optimal.

Regards,
Bernhard

More information about the ipv6-ops mailing list