Route table growth and hardware limits...talk to the filter

Jon Lewis jlewis at lewis.org
Fri Sep 7 23:14:01 UTC 2007


This evolved from a thread on another list.  I think it's more appropriate 
for nanog, so here it is.  Since many of you probably aren't on the other 
list, some context is lost, but it shouldn't matter.

The prefix-list presented below should be considered a proof-of-concept / 
work-in-progress.  As stated below, no testing has been done to verfiy it 
will cause no loss in connectivity (i.e. due to networks deaggregating 
their space and announcing it only as longer subnets than their RIR states 
are the minimum allocation size for the range from which their CIDRs were 
carved).

OTOH, this _should_ be a relatively safe way for networks under the gun to 
upgrade (especially those running 7600/6500 gear with anything less than 
Sup720-3bxl) to survive on an internet with >~240k routes and get by with 
these filtered routes, either buying more time to get upgrades done or 
putting off upgrades for perhaps a considerable time.

Here's what I ended up with (so far) based on Barry Greene's work at

ftp://ftp-eng.cisco.com/cons/isp/security/Ingress-Prefix-Filter-Templates/
T-ip-prefix-filter-ingress-strict-check-v18.txt

While working on this, I noticed a bunch of inconsistencies in the expected RIR 
minimum allocations in ISP-Ingress-In-Strict and in the data actually published 
by the various RIRs.

I've adjusted the appropriate entries, and as previously mentioned, flipped 
things around so that for each of the known RIR /8 or shorter prefixes, 
prefixes longer than RIR specified minimums (or /24 in cases where the RIR 
specifies longer than /24) are denied.

Due to the number of minimum acceptable allocation inconsistencies, I 
recollected all the data on number of routes shaved per RIR filter.

For some reason, today I started out with fewer routes (228289...yesterday, I 
started with 230686) with no filtering.

RIR filter section	Reduction in routes
APNIC			16690
ARIN			41070
RIPE			16981
LANIC			 4468
AFRINIC			 1516
-----------------------------
TOTAL			80725

The end result of applying all the RIR minimum allocation filters was 147564 
BGP routes.  I haven't checked to make sure there was no loss in 
reachability...this is just an idle 7206/NPE225 with nothing but its ethernet 
uplink.

The prefix-list I'm using for this experiment is:

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!! APNIC  http://www.apnic.net/db/min-alloc.html !!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!
ip prefix-list ISP-Ingress-In-Strict SEQ 4000 deny 58.0.0.0/8 ge 22
ip prefix-list ISP-Ingress-In-Strict SEQ 4001 deny 59.0.0.0/8 ge 21
ip prefix-list ISP-Ingress-In-Strict SEQ 4002 deny 60.0.0.0/7 ge 21
ip prefix-list ISP-Ingress-In-Strict SEQ 4004 deny 116.0.0.0/6 ge 22
ip prefix-list ISP-Ingress-In-Strict SEQ 4008 deny 120.0.0.0/7 ge 22
ip prefix-list ISP-Ingress-In-Strict SEQ 4009 deny 122.0.0.0/7 ge 22
ip prefix-list ISP-Ingress-In-Strict SEQ 4011 deny 124.0.0.0/8 ge 21
ip prefix-list ISP-Ingress-In-Strict SEQ 4012 deny 125.0.0.0/8 ge 21
ip prefix-list ISP-Ingress-In-Strict SEQ 4013 deny 126.0.0.0/8 ge 21
ip prefix-list ISP-Ingress-In-Strict SEQ 4014 deny 202.0.0.0/7 ge 25
ip prefix-list ISP-Ingress-In-Strict SEQ 4016 deny 210.0.0.0/7 ge 21
ip prefix-list ISP-Ingress-In-Strict SEQ 4018 permit 218.100.0.0/16 ge 17 le 24
ip prefix-list ISP-Ingress-In-Strict SEQ 4019 deny 218.0.0.0/7 ge 21
ip prefix-list ISP-Ingress-In-Strict SEQ 4021 deny 220.0.0.0/7 ge 21
ip prefix-list ISP-Ingress-In-Strict seq 4023 deny 222.0.0.0/8 ge 21
!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!! http://www.arin.net/reference/ip_blocks.html#ipv4    !!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!
ip prefix-list ISP-Ingress-In-Strict SEQ 5000 deny 24.0.0.0/8 ge 21
ip prefix-list ISP-Ingress-In-Strict SEQ 5001 deny 63.0.0.0/8 ge 21
ip prefix-list ISP-Ingress-In-Strict SEQ 5002 deny 64.0.0.0/7 ge 21
ip prefix-list ISP-Ingress-In-Strict SEQ 5004 deny 66.0.0.0/6 ge 21
ip prefix-list ISP-Ingress-In-Strict SEQ 5008 deny 70.0.0.0/7 ge 21
ip prefix-list ISP-Ingress-In-Strict SEQ 5010 deny 72.0.0.0/6 ge 21
ip prefix-list ISP-Ingress-In-Strict SEQ 5014 deny 76.0.0.0/8 ge 21
ip prefix-list ISP-Ingress-In-Strict SEQ 5015 deny 96.0.0.0/6 ge 21
! these ge 25's are redundant, but left in for accounting purposes
ip prefix-list ISP-Ingress-In-Strict SEQ 5020 deny 198.0.0.0/7 ge 25
ip prefix-list ISP-Ingress-In-Strict SEQ 5022 deny 204.0.0.0/7 ge 25
ip prefix-list ISP-Ingress-In-Strict SEQ 5023 deny 206.0.0.0/7 ge 25
ip prefix-list ISP-Ingress-In-Strict SEQ 5032 deny 208.0.0.0/8 ge 23
ip prefix-list ISP-Ingress-In-Strict SEQ 5033 deny 209.0.0.0/8 ge 21
ip prefix-list ISP-Ingress-In-Strict SEQ 5034 deny 216.0.0.0/8 ge 21
!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!! RIPE NCC https://www.ripe.net/ripe/docs/ripe-ncc-managed-address-space.html
!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!
ip prefix-list ISP-Ingress-In-Strict SEQ 6000 deny 62.0.0.0/8 ge 20
ip prefix-list ISP-Ingress-In-Strict SEQ 6001 deny 77.0.0.0/8 ge 22
ip prefix-list ISP-Ingress-In-Strict SEQ 6002 deny 78.0.0.0/7 ge 22
ip prefix-list ISP-Ingress-In-Strict SEQ 6004 deny 80.0.0.0/7 ge 21
ip prefix-list ISP-Ingress-In-Strict SEQ 6006 deny 82.0.0.0/8 ge 21
ip prefix-list ISP-Ingress-In-Strict SEQ 6007 deny 83.0.0.0/8 ge 22
ip prefix-list ISP-Ingress-In-Strict SEQ 6008 deny 84.0.0.0/6 ge 22
ip prefix-list ISP-Ingress-In-Strict SEQ 6012 deny 88.0.0.0/7 ge 22
ip prefix-list ISP-Ingress-In-Strict SEQ 6014 deny 90.0.0.0/8 ge 22
ip prefix-list ISP-Ingress-In-Strict SEQ 6015 deny 91.0.0.0/8 ge 25
ip prefix-list ISP-Ingress-In-Strict SEQ 6016 deny 92.0.0.0/6 ge 22
ip prefix-list ISP-Ingress-In-Strict SEQ 6020 deny 193.0.0.0/8 ge 25
ip prefix-list ISP-Ingress-In-Strict SEQ 6021 deny 194.0.0.0/7 ge 25
ip prefix-list ISP-Ingress-In-Strict SEQ 6023 deny 212.0.0.0/7 ge 20
ip prefix-list ISP-Ingress-In-Strict SEQ 6025 deny 217.0.0.0/8 ge 21
!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!! LANIC  - http://lacnic.net/en/registro/index.html
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!
ip prefix-list ISP-Ingress-In-Strict SEQ 7000 deny 189.0.0.0/8 ge 21
ip prefix-list ISP-Ingress-In-Strict SEQ 7001 deny 190.0.0.0/8 ge 21
ip prefix-list ISP-Ingress-In-Strict SEQ 7002 deny 200.0.0.0/8 ge 25
ip prefix-list ISP-Ingress-In-Strict SEQ 7003 deny 201.0.0.0/8 ge 21
!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!! AFRINIC  http://www.afrinic.net/index.htm                         !!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!
ip prefix-list ISP-Ingress-In-Strict SEQ 8000 deny 41.0.0.0/8 ge 23
ip prefix-list ISP-Ingress-In-Strict SEQ 8001 deny 196.0.0.0/8 ge 23
!
ip prefix-list ISP-Ingress-In-Strict seq 10200 permit 0.0.0.0/0 le 24

Just to show where a lot of the dropped routes are, here's a show ip 
prefix-list detail after the session is up and "full routes" have been received 
right after clearing the prefix-list counter and then clearing the bgp session.

  ip prefix-list ISP-Ingress-In-Strict:
    count: 51, range entries: 51, sequences: 4000 - 10200, refcount: 3
    seq 4000 deny 58.0.0.0/8 ge 22 (hit count: 609, refcount: 6)
    seq 4001 deny 59.0.0.0/8 ge 21 (hit count: 662, refcount: 1)
    seq 4002 deny 60.0.0.0/7 ge 21 (hit count: 2014, refcount: 2)
    seq 4004 deny 116.0.0.0/6 ge 22 (hit count: 616, refcount: 4)
    seq 4008 deny 120.0.0.0/7 ge 22 (hit count: 370, refcount: 3)
    seq 4009 deny 122.0.0.0/7 ge 22 (hit count: 1153, refcount: 1)
    seq 4011 deny 124.0.0.0/8 ge 21 (hit count: 1040, refcount: 3)
    seq 4012 deny 125.0.0.0/8 ge 21 (hit count: 1302, refcount: 1)
    seq 4013 deny 126.0.0.0/8 ge 21 (hit count: 0, refcount: 1)
    seq 4014 deny 202.0.0.0/7 ge 25 (hit count: 0, refcount: 6)
    seq 4016 deny 210.0.0.0/7 ge 21 (hit count: 4776, refcount: 4)
    seq 4018 permit 218.100.0.0/16 ge 17 le 24 (hit count: 4, refcount: 1)
    seq 4019 deny 218.0.0.0/7 ge 21 (hit count: 1285, refcount: 3)
    seq 4021 deny 220.0.0.0/7 ge 21 (hit count: 2164, refcount: 2)
    seq 4023 deny 222.0.0.0/8 ge 21 (hit count: 679, refcount: 1)
    seq 5000 deny 24.0.0.0/8 ge 21 (hit count: 1889, refcount: 1)
    seq 5001 deny 63.0.0.0/8 ge 21 (hit count: 2818, refcount: 2)
    seq 5002 deny 64.0.0.0/7 ge 21 (hit count: 8420, refcount: 1)
    seq 5004 deny 64.0.0.0/6 ge 21 (hit count: 7878, refcount: 4)
    seq 5008 deny 70.0.0.0/7 ge 21 (hit count: 1426, refcount: 1)
    seq 5010 deny 72.0.0.0/6 ge 21 (hit count: 4637, refcount: 2)
    seq 5014 deny 76.0.0.0/8 ge 21 (hit count: 255, refcount: 3)
    seq 5015 deny 96.0.0.0/6 ge 21 (hit count: 23, refcount: 1)
    seq 5020 deny 198.0.0.0/7 ge 25 (hit count: 0, refcount: 3)
    seq 5022 deny 204.0.0.0/7 ge 25 (hit count: 0, refcount: 2)
    seq 5023 deny 206.0.0.0/7 ge 25 (hit count: 0, refcount: 1)
    seq 5032 deny 208.0.0.0/8 ge 23 (hit count: 3322, refcount: 2)
    seq 5033 deny 209.0.0.0/8 ge 21 (hit count: 4661, refcount: 1)
    seq 5034 deny 216.0.0.0/8 ge 21 (hit count: 5734, refcount: 2)
    seq 6000 deny 62.0.0.0/8 ge 20 (hit count: 1428, refcount: 1)
    seq 6001 deny 77.0.0.0/8 ge 22 (hit count: 447, refcount: 1)
    seq 6002 deny 78.0.0.0/7 ge 22 (hit count: 97, refcount: 1)
    seq 6004 deny 80.0.0.0/7 ge 21 (hit count: 2394, refcount: 4)
    seq 6006 deny 82.0.0.0/8 ge 21 (hit count: 994, refcount: 2)
    seq 6007 deny 83.0.0.0/8 ge 22 (hit count: 596, refcount: 1)
    seq 6008 deny 84.0.0.0/6 ge 22 (hit count: 3197, refcount: 1)
    seq 6012 deny 88.0.0.0/7 ge 22 (hit count: 1933, refcount: 3)
    seq 6014 deny 90.0.0.0/8 ge 22 (hit count: 32, refcount: 2)
    seq 6015 deny 91.0.0.0/8 ge 25 (hit count: 0, refcount: 1)
    seq 6016 deny 92.0.0.0/6 ge 22 (hit count: 0, refcount: 1)
    seq 6020 deny 193.0.0.0/8 ge 25 (hit count: 0, refcount: 2)
    seq 6021 deny 194.0.0.0/7 ge 25 (hit count: 0, refcount: 1)
    seq 6023 deny 212.0.0.0/7 ge 20 (hit count: 4190, refcount: 1)
    seq 6025 deny 217.0.0.0/8 ge 21 (hit count: 1690, refcount: 1)
    seq 7000 deny 189.0.0.0/8 ge 21 (hit count: 253, refcount: 2)
    seq 7001 deny 190.0.0.0/8 ge 21 (hit count: 1841, refcount: 1)
    seq 7002 deny 200.0.0.0/8 ge 25 (hit count: 0, refcount: 2)
    seq 7003 deny 201.0.0.0/8 ge 21 (hit count: 2390, refcount: 1)
    seq 8000 deny 41.0.0.0/8 ge 23 (hit count: 378, refcount: 1)
    seq 8001 deny 196.0.0.0/8 ge 23 (hit count: 1136, refcount: 1)
    seq 10200 permit 0.0.0.0/0 le 24 (hit count: 147571, refcount: 1)

----------------------------------------------------------------------
  Jon Lewis                   |  I route
  Senior Network Engineer     |  therefore you are
  Atlantic Net                |
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________



More information about the NANOG mailing list