nanog mailing list archives

Re: So am I just excitable?

From: Tom Beecher via NANOG <nanog () lists nanog org>
Date: Sun, 31 Aug 2025 13:02:37 -0400


At least a few people on this thread are more used to examining and
analyzing this point than I am; but, if I'm not mistaken, at least some of
that de-aggregation in Route Views, RIS, or other route-collectors may
result from networks giving feeds to the collectors that are either
internal iBGP feeds or otherwise don't represent what they typically send
to "the outside world".



Yes. This happens all the time. Sometimes maliciously , sometimes not.

A particular ASN used to send me some /24s that they didn't send to the DFZ
or anyone else for a specific business case. They also didn't announce a
covering aggregate for that either. At the time , we were sending our IBGP
view to a route-collector. At some point that ASN (rightly) started to
announce the covering aggregate to the DFZ, and started calling me because
whoever they were using for hijack monitoring started complaining I was
hijacking these /24s.


On Sun, Aug 31, 2025 at 11:27 AM Tony Tauber via NANOG <
nanog () lists nanog org> wrote:

On the point of:

lots of disaggregation on Route Views that isn't present in our RIB


At least a few people on this thread are more used to examining and
analyzing this point than I am; but, if I'm not mistaken, at least some of
that de-aggregation in Route Views, RIS, or other route-collectors may
result from networks giving feeds to the collectors that are either
internal iBGP feeds or otherwise don't represent what they typically send
to "the outside world".

Not only is it unlikely that one may ever see convergence to just one type
of feed to collectors from all the participants, but even if one did, it's
not straightforward whether the view that "a customer" or a non-transit
partner might receive is preferable.

See some research about "Global BGP Attacks That Evade Route Monitoring
<https://ripe89.ripe.net/archives/video/1540/>" from 2024, for instance.

Cheers,
Tony

On Sat, Aug 30, 2025 at 3:03 AM Philip Smith via NANOG <
nanog () lists nanog org> wrote:

Brian Knight via NANOG wrote on 30/8/2025 10:00:

I see the cause of the discrepancy now. Bumped up our RIB against Route
Views, and I see lots of disaggregation on Route Views that isn't
present in our RIB. Had no idea we were being shielded from *that*
many /24's.


Oh and if you take a general wander around all the collectors in various
parts of the world, and compare the full views we get there versus what
you see. Or what I see in my weekly Routing Table Report I send here
(and a few NOG lists), which is pretty much what the RouteViews
collector hosted for us by the WIDE project at DIXIE gets to see (my
Routing Table Report view is courtesy of APNIC's peering there).

Many apologies for the Friday night stupidity :(


As others have said, this global routing table is a most fascinating
thing, everywhere you look at it. :-)

philip
-->

-Brian


On 2025-08-29 16:49, Brian Knight via NANOG wrote:

On 2025-08-29 15:15, Tom Beecher via NANOG wrote:

Geoff's data at Potaroo had the FIB clearing 1M back in Febuary if
memory
serves. So this already happened months ago.


I'm confused by that.

I show 990450 prefixes in my FIB, 990478 in RIB.

Potaroo shows 1022758 prefixes in FIB for today.

Why would there be a discrepancy of over 32k prefixes?

We're blocking exactly 0 prefixes from our three upstreams.

I would understand a hand-waving explanation of "this is the Internet,
it's always being updated, and everyone has a different view of it" if
the discrepancy were 10^2 or even 10^3. But over 10^5? That's a bit
like the three top ASNs for route count just disappeared from the
Internet.

-Brian

_______________________________________________
NANOG mailing list

https://lists.nanog.org/archives/list/nanog () lists nanog org/message/SRSNDFOZXUFDZY5K6TFHNYGAYBLJ3OEL/

_______________________________________________
NANOG mailing list 
https://lists.nanog.org/archives/list/nanog () lists nanog org/message/ABES5S47HE5VKAYJFGZDK66ENQNSRPXU/

Current thread:

Re: So am I just excitable?, (continued)
- Re: So am I just excitable? Tom Beecher via NANOG (Aug 29)
  - Re: So am I just excitable? michael brooks - ESC via NANOG (Aug 29)
  - Re: So am I just excitable? Brian Knight via NANOG (Aug 29)
    - Re: So am I just excitable? Randy Bush via NANOG (Aug 29)
    - Re: So am I just excitable? Geoff Huston via NANOG (Aug 29)
    - Re: So am I just excitable? Tom Beecher via NANOG (Aug 29)
    - Re: So am I just excitable? Brian Knight via NANOG (Aug 29)
    - Re: So am I just excitable? Geoff Huston via NANOG (Aug 29)
    - Re: So am I just excitable? Philip Smith via NANOG (Aug 30)
    - Re: So am I just excitable? Tony Tauber via NANOG (Aug 31)
    - Re: So am I just excitable? Tom Beecher via NANOG (Aug 31)
- Re: So am I just excitable? Joe Loiacono via NANOG (Aug 29)