Some leaks in China/Hongkong

Mike Leber mleber at he.net
Sun Oct 26 16:59:38 CET 2008 

Several of the parties in the path you list are intentionally preferring 
to send traffic to Hong Kong and perhaps being publicly shamed is the 
only way to get them to change it.

We are not "leaking full tables" in Hong Kong.  We went live in Hong 
Kong a few weeks ago and have a few IPv6 customers in Hong Kong, 
including some Chinese research and education networks.

The fact that none of the parties involved bothers to have the necessary 
transit route to reach that customer prefix in Europe and instead 
prefers to use a Chinese university network as their transit of last 
resort, is something to ask them not us.

dfn, geant2, or internet2 don't currently get a decent full view 
otherwise they wouldn't send traffic to Hong Kong.

Anybody that actually cares about decent routing can fix this in Europe 
by either peering with us in Europe, taking IPv6 transit from us 
directly in Europe, *or* by turning off their transit provider that has 
to use a Chinese University as their upstream transit provider for their 
European network.  There are a bunch of other decent European IPv6 
transit networks that would be happy to sell you service!

For your convenience if you'd like to peer directly, meet us at any of 
the following exchanges:

We are AS6939.

NAP             Status  Speed   IPv4            IPv6
--------------- ------- ------- --------------- ------------------------
EQUINIX-ASH     UP      10GigE  206.223.115.37  2001:504:0:2::6939:1
EQUINIX-CHI     UP      10GigE  206.223.119.37  2001:504:0:4::6939:1
EQUINIX-DAL     UP      10GigE  206.223.118.37  2001:504:0:5::6939:1
EQUINIX-LAX     UP      10GigE  206.223.123.37  2001:504:0:3::6939:1
EQUINIX-SJC     UP      10GigE  206.223.116.37  2001:504:0:1::6939:1
LINX            UP      10GigE  195.66.224.21   2001:7f8:4:0::1b1b:1
LoNAP           UP      GigE    193.203.5.128   2001:7f8:17::1b1b:1
AMS-IX          UP      10GigE  195.69.145.150  2001:7f8:1::a500:6939:1
NL-IX           UP      GigE    193.239.116.14  2001:7f8:13::a500:6939:1
PAIX Palo Alto  UP      10GigE  198.32.176.20   2001:504:d::10
PAIX New York   UP      10GigE  198.32.118.57   2001:504:f::39
NYIIX           UP      10GigE  198.32.160.61   2001:504:1::a500:6939:1
LAIIX           UP      GigE    198.32.146.50   2001:504:a::a500:6939:1
NYCX            UP      GigE    198.32.229.22
BIGEAPE         UP      100BT                   2001:458:26:2::500
SIX             UP      10GigE  198.32.180.40   2001:478:180::40
PaNAP           UP      10GigE  62.35.254.111   2001:860:0:6::6939:1
DE-CIX          UP      10GigE  80.81.192.172   2001:7f8::1b1b:0:1
NOTA            UP      10GigE  198.32.124.176  2001:478:124::176
Any2-LAX        UP      10GigE  206.223.143.122 2001:504:13:0:0:0:0:1A
HKIX            UP      GigE    202.40.161.158  2001:7fa:0:1::ca28:a19e
Telx-Atlanta    UP      10GigE  198.32.132.75   2001:478:132::75

Mike.

Bernhard Schmidt wrote:
> Hello everyone,
> 
> I had a very unpleasant experience when I looked at my RTT monitoring
> this morning.
> 
> a) 
> 
> bschmidt at lxbsc01:~$ traceroute6 -q1 2001:470:0:69::2
> traceroute to 2001:470:0:69::2 (2001:470:0:69::2) from 2001:4ca0:0:f000:211:43ff:fe7e:3a76, port 33434, from port 36641, 30 hops max, 60 bytepackets
>  1  vl-23.csr1-2wr.lrz-muenchen.de (2001:4ca0:0:f000::1)  0.374 ms
>  2  xr-gar1-te1-3-108.x-win.dfn.de (2001:638:c:a003::1)  0.441 ms
>  3  2001:638:c:c043::2 (2001:638:c:c043::2)  8.484 ms
>  4  dfn.rt1.fra.de.geant2.net (2001:798:14:10aa::1)  7.879 ms
>  5  abilene-wash-gw.rt1.fra.de.geant2.net (2001:798:14:10aa::12)  100.643 ms
>  6  so-0-2-0.0.rtr.chic.net.internet2.edu (2001:468:ff:209::2)  117.230 ms
>  7  so-4-3-0.rtr.kans.net.internet2.edu (2001:468:ff:204:8000::2)  127.967 ms
>  8  so-0-0-0.0.rtr.salt.net.internet2.edu (2001:468:ff:407::2)  181.439 ms
>  9  so-0-0-0.0.rtr.seat.net.internet2.edu (2001:468:ff:716::1)  181.476 ms
> 10  kreonet-1-lo-jmb-706.sttlwa.pacificwave.net (2001:504:b:10::6)  169.102 ms
> 11  2001:320:1b00:1::1 (2001:320:1b00:1::1)  283.341 ms
> 12  hurricaneelectric-RGE.hkix.net (2001:7fa:0:1::ca28:a19e)  327.876 ms
> 13  v1026.core1.sjc1.he.net (2001:470:0:c3::1)  331.108 ms
> 14  10gigabitethernet2-1.core1.sjc2.he.net (2001:470:0:55::2)  327.817 ms
> 15  10gigabitethernet1-3.core1.nyc4.he.net (2001:470:0:33::2)  327.861 ms
> 16  10gigabitethernet1-2.core1.lon1.he.net (2001:470:0:3e::2)  327.785 ms
> 17  10gigabitethernet1-1.core1.ams1.he.net (2001:470:0:3f::2)  327.827 ms
> 18  10gigabitethernet1-1.core1.fra1.he.net (2001:470:0:47::2)  327.742 ms
> 19  1g-bge0.tserv6.fra1.ipv6.he.net (2001:470:0:69::2)  328.126 ms
> 
>   680 20965 11537 17579 4635 6939
>     2001:638:C:A003::1 from 2001:638:C:A003::1 (188.1.200.38)
>       Origin IGP, localpref 90, valid, external, best
>       Community: 680:77 11537:2501 12816:2100 12816:2110 20965:11537
> 
> This, apparently new or newly leaking, peering between AS4635 and AS6939
> affects about 200 prefixes that are detoured through Hongkong for all
> users behind 20965 (the european REN, comparable to I2) or 11537 (I2).
> So, I guess, a not-too-small two-digit slice of the current IPv6 users.
> 
> b)
> 
> bschmidt at lxbsc01:~$ traceroute6 -q1 ipv6.google.com
> traceroute to ipv6.google.com (2001:4860:0:1001::68) from 2001:4ca0:0:f000:211:43ff:fe7e:3a76, port 33434, from port 34321, 30 hops max, 60 byte packets
>  1  vl-23.csr1-2wr.lrz-muenchen.de (2001:4ca0:0:f000::1)  0.384 ms
>  2  xr-gar1-te1-3-108.x-win.dfn.de (2001:638:c:a003::1)  0.482 ms
>  3  2001:638:c:c043::2 (2001:638:c:c043::2)  8.283 ms
>  4  dfn.rt1.fra.de.geant2.net (2001:798:14:10aa::1)  7.876 ms
>  5  abilene-wash-gw.rt1.fra.de.geant2.net (2001:798:14:10aa::12)  100.596 ms
>  6  so-0-2-0.0.rtr.chic.net.internet2.edu (2001:468:ff:209::2)  117.203 ms
>  7  so-4-3-0.rtr.kans.net.internet2.edu (2001:468:ff:204:8000::2)  127.765 ms
>  8  so-0-0-0.0.rtr.salt.net.internet2.edu (2001:468:ff:407::2)  181.408 ms
>  9  so-0-0-0.0.rtr.seat.net.internet2.edu (2001:468:ff:716::1)  181.495 ms
> 10  kreonet-1-lo-jmb-706.sttlwa.pacificwave.net (2001:504:b:10::6)  169.117 ms
> 11  2001:320:1b00:1::1 (2001:320:1b00:1::1)  283.376 ms
> 12  2001:320:8300:30::11 (2001:320:8300:30::11)  274.199 ms
> 13  2001:252:0:101::2 (2001:252:0:101::2)  300.406 ms
> 14  *
> 15  *
> 16  2001:4860:0:1001::68 (2001:4860:0:1001::68)  348.676 ms
> 
>   680 20965 11537 17579 23911 15169, (aggregated by 15169 64.233.175.244)
>     2001:638:C:A003::1 from 2001:638:C:A003::1 (188.1.200.38)
>       Origin IGP, localpref 90, valid, external, best
>       Community: 680:77 11537:2501 12816:2100 12816:2110 20965:11537
> 
> again, affects all users in GEANT2 and I2. 
> 
> AS4635 has a very bad reputation regarding leaking fulltables where they
> don't belong, AS17579 has not been a saint either. Additionally, these
> problems are very much amplified by the current policy of most RENs to
> prefer (through localpref) their fellow RENs and tag their prefixes
> accordingly. As soon as someone does this on an unfiltered link, as
> Abilene does for Kreonet, it creates havoc.
> 
> In this case, 680 has direct peering with both 6939 and 15169, so I
> would not have seen anything without these localpref games. And both
> GEANT2 and I2 should see 6939 and 15169 through at most one transit ASN.
> 
> No wonder people are reluctant to use IPv6 for serious production use if
> we can't fix those problems for good. Thankfully I could fix it for our
> users by depreffing those paths and switching to our commercial (backup)
> transit, but that's far from optimal.
> 
> Regards,
> Bernhard

-- 
+---------------- H U R R I C A N E - E L E C T R I C ----------------+
| Mike Leber        Wholesale IPv4 and IPv6 Transit      510 580 4100 |
| Hurricane Electric                                           AS6939 |
| mleber at he.net     Internet Backbone & Colocation      http://he.net |
+---------------------------------------------------------------------+

More information about the ipv6-ops mailing list