Dear Akamai, you got a /32 there not a bunch of /48s - how to break Facebook and annoy lots of users

Jeroen Massar jeroen at sixxs.net
Mon Aug 20 18:17:24 CEST 2012


In reference to https://www.sixxs.net/tickets/?msg=tickets-7640234

In other words it makes things "sometimesnot work"....

[code]
grh.sixxs.net> show bgp 2a02:26f0:c:1::5c7a:3289
BGP routing table entry for 2a02:26f0:c::/48
Paths: (100 available, best #20, table Default-IP-Routing-Table)
  Not advertised to any peer
  25384 3292 3257 20940 20940
    2001:15f8:1::1 from 2001:15f8:1::1 (85.89.248.1)
      Origin IGP, localpref 100, valid, external
      Last update: Mon Aug 20 18:07:40 2012
...
[/code]

[code]
grh.sixxs.net> show bgp 2a02:26f0:5::5f64:f938
BGP routing table entry for 2a02:26f0:5::/48
Paths: (99 available, best #97, table Default-IP-Routing-Table)
  Not advertised to any peer
  25384 3292 1299 25074 20940 20940
    2001:15f8:1::1 from 2001:15f8:1::1 (85.89.248.1)
      Origin IGP, localpref 100, valid, external
      Last update: Mon Aug 20 17:52:39 2012
...
[/code]

Announcing /48s will get filtered and this randomly breaks stuff.


One would think that Akamai had enough moneyz to pay everybody to accept
those /48s into their or at least then to get a disjunct /32...

Dear Akamai: It is a PA prefix as in AGGREGATED...

and as Facebook has enabled IPv6, this is broken for a LOT of people.


There is not even a special route6, there just is:

inet6num:       2a02:26f0::/32
netname:        EU-AKAMAI-20101022
descr:          Akamai Technologies
country:        EU
org:	        ORG-AT1-RIPE
admin-c:        NARA1-RIPE
tech-c:         NARA1-RIPE
status:         ALLOCATED-BY-RIR
mnt-by:         RIPE-NCC-HM-MNT
mnt-lower:      AKAM1-RIPE-MNT
mnt-routes:     AKAM1-RIPE-MNT
source:         RIPE # Filtered

route6:          2a02:26f0::/32
descr:           Akamai Technologies
origin:          AS34164
mnt-by:          AKAM1-RIPE-MNT
source:          RIPE # Filtered


Note that it depends on where I do the DNS query for which returns one
gets as some other locations point elsewhere...

$ host profile.ak.fbcdn.net
profile.ak.fbcdn.net is an alias for profile.ak.facebook.com.edgesuite.net.
profile.ak.facebook.com.edgesuite.net is an alias for a1725.dspl.akamai.net.
a1725.dspl.akamai.net has address 77.109.171.96
a1725.dspl.akamai.net has address 77.109.171.107
a1725.dspl.akamai.net has address 77.109.171.121
a1725.dspl.akamai.net has address 77.109.171.89
a1725.dspl.akamai.net has IPv6 address 2a02:26f0:c:1::5c7a:32a1
a1725.dspl.akamai.net has IPv6 address 2a02:26f0:c:1::5c7a:32aa
a1725.dspl.akamai.net has IPv6 address 2a02:26f0:c:1::5c7a:328b

This of course makes it more fun to debug as it is then "works for me"
in one case while completely different set in another case:

$ host -t any profile.ak.fbcdn.net
profile.ak.fbcdn.net is an alias for profile.ak.facebook.com.edgesuite.net.
profile.ak.facebook.com.edgesuite.net is an alias for a1725.dspl.akamai.net.
a1725.dspl.akamai.net has address 23.62.98.130
a1725.dspl.akamai.net has address 23.62.98.169
a1725.dspl.akamai.net has address 23.62.98.145
a1725.dspl.akamai.net has address 23.62.98.113
a1725.dspl.akamai.net has address 23.62.98.152
a1725.dspl.akamai.net has address 23.62.98.105
a1725.dspl.akamai.net has address 23.62.98.122
a1725.dspl.akamai.net has IPv6 address 2001:668:108:1::4d43:1c38
a1725.dspl.akamai.net has IPv6 address 2001:668:108:1::4d43:1c30
a1725.dspl.akamai.net has IPv6 address 2001:668:108:1::4d43:1c3a


As such it is not that Akamai really needs to announce disjunct /48s as
the are already using PA space from other providers who do not have this
issue.

Greets,
 Jeroen



More information about the ipv6-ops mailing list