Routing – BGP routing based on ARIN info

arinbgpispprefixrouting

I have discovered weird routing from our ISP all related to BGP. Here is the scenario (real-one).
– there is a /19 prefix bought about 10 years ago, which was registered with ARIN authority.
– as bussiness grew each site got it /24.

The trouble starts in APNIC region in ASIA. We export one /24 prefix the regular way using two local ISPs.
When trying to reach this prefix from different ASIA sites like India or China all traffic is sent to US West Coast then back to our site. Except additional hops, this also adds about 150ms latency.

What I already tried:
– AS prepend each ISP at a time so the other left would be preffered for all inbound traffic
– both tests went similar as in both scenarios traffic hit US before reaching this trouble site.

As there is no other local special config I can think of like communities, how can I explain this?

Are both local ISP taking in consideration the ARIN info and based on that send traffic to US?

Thanks!

Best Answer

I guess I should start by saying that IP prefixes are not technically bought. When an IP prefix is allocated to a provider from an RIR like ARIN, there is no transfer of ownership. The IP range is always allocated to the RIR, and the allocation to the provider is only valid so long as the original terms of the allocation are upheld.

As for the routing part of the question, it is hard to give a specific answer without details on the actual prefixes used; however the most likely explanation is that some providers have policies in place which are not accepting the more specific /24 announcements.

I assume that the site in the US is announcing the entire /19 range, so any ISP that does not carry the specific /24 prefix will instead route towards the covering /19.

As for why some of the ISPs are not accepting the specific /24 announcements, this can have a number of reasons, and to be honest you are only going to be able to get a definitive answer from the ISP doing the filtering; however there are a few things you can try to improve your chances of the announcements being accepted.

Some ISPs will build their policies dynamically from information in routing registries. My experience is strongest in the RIPE service region, where routing policy can be registered using RPSL syntax in the RIPE database. ARIN also have a routing registry, but for the ARIN service region it is more common to register policy with the Merit RADb at ra.net. RPKI is still in it's early days and not many people are using RPKI in their policies; however it is an area to consider for the future which may allow for more reliable route distribution.

As you have seen, if the route is not in the table of these other ISPs then you are not going to be able to influence their routing by means of attributes on your announcements (i.e. as path length, communities, etc). You are only going to fix things by getting them to accept your announcement.

Related Solutions

ARIN Whois – How to Get IP Ranges

$ whois -a "o ! >  HT-136"

As found by doing man whois and whois -a ?

-a

Use the American Registry for Internet Numbers (ARIN) database. It contains network numbers used in those parts of the world cov- ered neither by APNIC, AfriNIC, LACNIC, nor by RIPE.
o

Query-by-record-type: o Organizations
!

Query-by-attribute: ! Searches for matches by handle or id
>

Record hierarchy: Displays the record related down the hierarchy. For an organization or customer, display the resources registered to that organization or customer, in list format.

The Result is:

#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#
# If you see inaccuracies in the results, please report at
# http://www.arin.net/public/whoisinaccuracy/index.xhtml
#


#
# The following results may also be obtained via:
# http://whois.arin.net/rest/orgs;handle=HT-136?showDetails=true&ext=netref2
#

OrgName:        HAProxy Technologies, Inc.
OrgId:          HT-136
Address:        1013 Centre Road, Suite 403S
City:           Wilmington
StateProv:      DE
PostalCode:     19805
Country:        US
RegDate:        2014-04-02
Updated:        2014-07-18
Ref:            http://whois.arin.net/rest/org/HT-136

TechHandle: SCARP14-ARIN
TechName:   Scarpa, John
TechPhone:  +1-857-366-5050
TechEmail:  john.scarpa@haproxy.com
TechRef:    http://whois.arin.net/rest/poc/SCARP14-ARIN

TechHandle: BRKIC2-ARIN
TechName:   Brkic, andrej
TechPhone:  +19547320642
TechEmail:  abrkic@haproxy.com
TechRef:    http://whois.arin.net/rest/poc/BRKIC2-ARIN

NOCHandle: NETWO6774-ARIN
NOCName:   Network Operations
NOCPhone:  +1-857-366-5050
NOCEmail:  noc@haproxy.com
NOCRef:    http://whois.arin.net/rest/poc/NETWO6774-ARIN

AdminHandle: SCARP14-ARIN
AdminName:   Scarpa, John
AdminPhone:  +1-857-366-5050
AdminEmail:  john.scarpa@haproxy.com
AdminRef:    http://whois.arin.net/rest/poc/SCARP14-ARIN

AbuseHandle: NETWO6775-ARIN
AbuseName:   Network Abuse
AbusePhone:  +1-857-366-5050
AbuseEmail:  abuse@haproxy.com
AbuseRef:    http://whois.arin.net/rest/poc/NETWO6775-ARIN
HAProxy Technologies, Inc. SCNET-205-234-170-0-1 (NET-205-234-170-0-1) 205.234.170.0 - 205.234.170.255
HAProxy Technologies, Inc. SCNET-205-234-181-0-1 (NET-205-234-181-0-1) 205.234.181.0 - 205.234.181.255
HAProxy Technologies, Inc. SCNET-205-234-165-0-1 (NET-205-234-165-0-1) 205.234.165.0 - 205.234.165.255
HAProxy Technologies, Inc. SCNET-205-234-166-0-1 (NET-205-234-166-0-2) 205.234.166.0 - 205.234.166.255
HAProxy Technologies, Inc. HAPNET-1 (NET-104-152-112-0-1) 104.152.112.0 - 104.152.119.255
HAProxy Technologies, Inc. (AS11019) HAPROXY-TECHNOLOGIES 11019



#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#
# If you see inaccuracies in the results, please report at
# http://www.arin.net/public/whoisinaccuracy/index.xhtml
#

As an alternate answer, using CURL or any REST client via RWHOIS is in my opinion MUCH easier to parse.

curl http://whois.arin.net/rest/org/HT-136/nets

<?xml version="1.0" encoding="UTF-8"?>
<?xml-stylesheet type='text/xsl' href='http://whois.arin.net/xsl/website.xsl' ?>
<nets xmlns="http://www.arin.net/whoisrws/core/v1" xmlns:ns2="http://www.arin.net/whoisrws/rdns/v1" xmlns:ns3="http://www.arin.net/whoisrws/netref/v2" termsOfUse="https://www.arin.net/whois_tou.html" inaccuracyReportUrl="http://www.arin.net/public/whoisinaccuracy/index.xhtml">
   <limitExceeded limit="256">false</limitExceeded>
   <netRef startAddress="205.234.170.0" endAddress="205.234.170.255" name="SCNET-205-234-170-0-1" handle="NET-205-234-170-0-1">http://whois.arin.net/rest/net/NET-205-234-170-0-1</netRef>
   <netRef startAddress="205.234.181.0" endAddress="205.234.181.255" name="SCNET-205-234-181-0-1" handle="NET-205-234-181-0-1">http://whois.arin.net/rest/net/NET-205-234-181-0-1</netRef>
   <netRef startAddress="205.234.165.0" endAddress="205.234.165.255" name="SCNET-205-234-165-0-1" handle="NET-205-234-165-0-1">http://whois.arin.net/rest/net/NET-205-234-165-0-1</netRef>
   <netRef startAddress="205.234.166.0" endAddress="205.234.166.255" name="SCNET-205-234-166-0-1" handle="NET-205-234-166-0-2">http://whois.arin.net/rest/net/NET-205-234-166-0-2</netRef>
   <netRef startAddress="104.152.112.0" endAddress="104.152.119.255" name="HAPNET-1" handle="NET-104-152-112-0-1">http://whois.arin.net/rest/net/NET-104-152-112-0-1</netRef>
</nets>

vSRX – Configuring Multiple Public Addresses on Loopback Interface

Thanks to @ar_ the solution is :

configure ip addresses on lo0.0 with /32 mask
set a discarded static route to /28 (network will then be propagated by BGP)

To go further :

add lo0.0 in untrust zone
set an intra-zone policy to allow 'external' traffic (ex. ping) since lo0.0 won't be the incoming traffic interface.

# show interfaces lo0 
unit 0 {
    family inet {
        address X.X.6.97/32;
        address X.X.6.98/32;
    }
}
# show routing-options 
static {
    route X.X.6.96/28 discard;
}
[··]
# show security zones security-zone untrust 
[..]
interfaces {
    ge-0/0/0.0 {
        host-inbound-traffic {
            system-services {
                ping;
            }
        }
    }
    ge-7/0/0.0 {
        host-inbound-traffic {
            system-services {
                ping;
            }
        }
    }
    lo0.0 {
        host-inbound-traffic {
            system-services {
                ping;                   
            }
        }
    }
}
# show security policies from-zone untrust to-zone untrust 
policy permit-ping {
    match {
        source-address any;
        destination-address any;
        application junos-ping;
    }
    then {
        permit;
    }
}

Best Answer

Related Solutions

ARIN Whois – How to Get IP Ranges

vSRX – Configuring Multiple Public Addresses on Loopback Interface

Related Topic