From: Rob Thomas [mailto:robt@cymru.com] Sent: Sunday, March 24, 2002 1:07 PM To: FIRST Teams Subject: Another route server arises Hi, teams. German Martinez recently posted to NANOG an announcement of a new route server, route-server.opentransit.net. For those of you who don't know, route servers are excellent tools to use when analyzing Internet routing and connectivity issues (are my prefixes there?). They can also be used when enduring a DoS attack, tracking the history of your prefix announcements, etc. I have several route servers listed in my Secure BGP Template for this reason. I also run a route server and track a few key prefixes in my home lab. Brief tangent: It's amazing how much garbage ends up in the Internet routing table. The simplest method of using a route server is to telnet to it (there will be no login or password), then issue the following command: route-server.opentransit.net>sh ip bgp 198.41.0.4 BGP routing table entry for 198.41.0.0/24, version 51864 [^^^^^^^^^^^^^ - prefix] Paths: (2 available, best #1) [^^^^^^^^^^^^^^^^^^^^ - number of paths and preferred path] Not advertised to any peer 3561 19836 [^^^^^^^^^^ - AS PATH, e.g. ASN hops] 193.251.128.22 from 193.251.128.22 (193.251.128.22) [^^^^^^^^^^^^^^ - peer who gave route-server this prefix] Origin IGP, metric 100, localpref 85, valid, internal, best [this is the route used by route-server - ^^^^] 3561 19836 [^^^^^^^^^^ - AS PATH, e.g. ASN hops] 193.251.129.18 from 193.251.129.18 (193.251.129.18) [^^^^^^^^^^^^^^ - peer who gave route-server this prefix] Origin IGP, metric 100, localpref 85, valid, internal The output tells us that 198.41.0.4 (a.root-servers.net) is available to this route server through the announcement of the 198.41.0.0/24 prefix. The origin ASN (origin network, the right most ASN) is 19836 (Verisign/Network Solutions). This router can access this prefix through two transit BGP peers, both in ASN 3561 (Cable & Wireless). The AS path is C&W (3561) -> Verisign (19836). Other prefixes might be reachable through multiple and different AS paths, e.g. 3549 6555 and 1 6555. I'll not bore you with the details regarding the origin IGP, metric, localpref, and other bits. Feel free to ping on me if you want to know what those mean. So what might be an indicator of woe? If the origin ASN is not what you expect, that could be bad. If the prefix length (in the example above, /24) is different than what you expect, that could be bad. I would be particularly disturbed if the prefix length was more specific, e.g. should be /20 but shows up as /24. Thanks, Rob. -- Rob Thomas http://www.cymru.com/~robt