Hi List
A customer complained, he cannot reach the website of chinese embassy in Switzerland.
CH.CHINA-EMBASSY.ORG
The DNS Servers are hosted under 125.208.4[567].0/24 and none of our peers do announce those routes to us.
The all, according to the looking glasses, seem to get those routes announced from AS24406 CNNIC but do not redistribute them.
Do others also see this issue?
Mit freundlichen Grüssen
-Benoît Panizzon-
Hey Benoit,
we get them both via Netstream and Sunrise:
[17:29] router1.place5:~# birdc show route 125.208.45.0/24 BIRD 2.0.7 ready. Table master4: 125.208.45.0/24 unicast [sunrise_1_v4 12:29:14.872] * (100) [AS24151?] via 193.192.225.72 on bond0.101 unicast [router1_place6_ungleich_ch_v4 2020-07-05] (100) [AS24151?] via 147.78.195.251 on bond0.8 unicast [router2_place6_ungleich_ch_v4 2020-07-05] (100) [AS24151?] via 147.78.195.252 on bond0.8 [17:29] router1.place5:~#
HTH,
Nico
Benoit Panizzon benoit.panizzon@imp.ch writes:
Hi List
A customer complained, he cannot reach the website of chinese embassy in Switzerland.
CH.CHINA-EMBASSY.ORG
The DNS Servers are hosted under 125.208.4[567].0/24 and none of our peers do announce those routes to us.
The all, according to the looking glasses, seem to get those routes announced from AS24406 CNNIC but do not redistribute them.
Do others also see this issue?
Mit freundlichen Grüssen
-Benoît Panizzon-
-- Modern, affordable, Swiss Virtual Machines. Visit www.datacenterlight.ch
Well, when I use the Sunrise LG:
BGP routing table entry for 125.208.47.0/24, version 252176985 Paths: (4 available, best #1, table default)
Not advertised to any peer ^------ see!
4134 24151 193.192.254.35 from 193.192.254.35 (212.161.178.83) Origin incomplete, metric 20, localpref 80, valid, internal, best Community: 6730:6200 6730:6222 4134 24151 193.192.254.34 from 193.192.254.34 (212.161.178.93) Origin incomplete, metric 20, localpref 80, valid, internal Community: 6730:6200 6730:6223 4134 24151 212.161.178.83 from 212.161.174.11 (212.161.174.11) Origin incomplete, metric 20, localpref 80, valid, internal Community: 6730:6200 6730:6222 Originator: 212.161.178.83, Cluster list: 0.0.3.120 4134 24151 212.161.178.83 from 212.161.174.10 (212.161.174.10) Origin incomplete, metric 20, localpref 80, valid, internal Community: 6730:6200 6730:6222 Originator: 212.161.178.83, Cluster list: 0.0.3.120
We don't get them!
Mit freundlichen Grüssen
-Benoît Panizzon-
Hi Benoit,
from sunrise FTTH in Pfaeffikon/sz it looks "not too bad":
$ traceroute 125.208.4.1 traceroute to 125.208.4.1 (125.208.4.1), 30 hops max, 60 byte packets 1 fritz.box (192.168.1.1) 0.647 ms 0.637 ms 0.715 ms 2 xdsl-31-165-201-1.adslplus.ch (31.165.201.1) 6.064 ms 5.898 ms 5.808 ms 3 oer02pe10.ge2-1-13.bb.sunrise.net (195.141.216.166) 6.476 ms rap31pe02.ge3-0-9.bb.sunrise.net (195.141.216.154) 5.718 ms 6.239 ms 4 * * * 5 zur01pe20.100ge-2-0-0.bb.sunrise.net (212.161.247.129) 5.636 ms 5.473 ms oer02pe20.100ge-2-0-0.bb.sunrise.net (212.161.247.133) 6.098 ms 6 et-0-0-17.bar1.Zurich3.Level3.net (213.242.67.149) 5.936 ms 2.198 ms 2.496 ms 7 ae-2-52.ear1.LosAngeles6.Level3.net (4.69.210.97) 154.041 ms 153.142 ms 153.365 ms 8 ffm-b1-link.telia.net (62.115.141.241) 18.508 ms CHINA-NETCO.ear1.LosAngeles6.Level3.net (4.26.2.166) 165.020 ms ffm-b1-link.telia.net (62.115.141.239) 18.399 ms 9 219.158.117.13 (219.158.117.13) 361.929 ms 361.874 ms 219.158.45.29 (219.158.45.29) 265.678 ms 10 219.158.3.133 (219.158.3.133) 368.084 ms 368.033 ms 360.478 ms 11 * 219.158.3.133 (219.158.3.133) 232.447 ms * 12 219.158.8.121 (219.158.8.121) 297.611 ms 286.350 ms * 13 219.158.7.225 (219.158.7.225) 299.828 ms 125.33.185.226 (125.33.185.226) 383.848 ms 124.65.194.22 (124.65.194.22) 246.454 ms 14 61.148.157.110 (61.148.157.110) 250.196 ms 124.65.194.78 (124.65.194.78) 289.955 ms 61.48.75.178 (61.48.75.178) 397.433 ms 15 61.148.157.110 (61.148.157.110) 302.523 ms * * 16 125.208.16.238 (125.208.16.238) 383.800 ms * * 17 125.208.16.218 (125.208.16.218) 243.419 ms 125.208.16.238 (125.208.16.238) 256.912 ms 257.021 ms 18 125.208.15.82 (125.208.15.82) 267.987 ms 125.208.4.1 (125.208.4.1) 387.041 ms 387.076 ms
cheers
Ralph
----- Am 27. Aug 2020 um 17:33 schrieb Benoit Panizzon benoit.panizzon@imp.ch:
Well, when I use the Sunrise LG:
BGP routing table entry for 125.208.47.0/24, version 252176985 Paths: (4 available, best #1, table default)
Not advertised to any peer ^------ see!
4134 24151 193.192.254.35 from 193.192.254.35 (212.161.178.83) Origin incomplete, metric 20, localpref 80, valid, internal, best Community: 6730:6200 6730:6222 4134 24151 193.192.254.34 from 193.192.254.34 (212.161.178.93) Origin incomplete, metric 20, localpref 80, valid, internal Community: 6730:6200 6730:6223 4134 24151 212.161.178.83 from 212.161.174.11 (212.161.174.11) Origin incomplete, metric 20, localpref 80, valid, internal Community: 6730:6200 6730:6222 Originator: 212.161.178.83, Cluster list: 0.0.3.120 4134 24151 212.161.178.83 from 212.161.174.10 (212.161.174.10) Origin incomplete, metric 20, localpref 80, valid, internal Community: 6730:6200 6730:6222 Originator: 212.161.178.83, Cluster list: 0.0.3.120
We don't get them!
Mit freundlichen Grüssen
-Benoît Panizzon-
I m p r o W a r e A G - Leiter Commerce Kunden ______________________________________________________
Zurlindenstrasse 29 Tel +41 61 826 93 00 CH-4133 Pratteln Fax +41 61 826 93 01 Schweiz Web http://www.imp.ch ______________________________________________________
swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
"Not Advertised to any peer" means that the Looking Glass itself is not re-distributing/Announcing it to another peer.
This is perfectly normal, we keep our internal RR split from the RR that does the route collection and then has a looking glass.
The Looking glass then has a clear "import only, export nothing" policy so yes this would also be "not advertised to any peer"
with your look up on the looking glass, you are looking at the view of this one BGP table, you're not seeing what the actual border routers are doing. This only tells you the presence of a route, not the actual redistribution
At least this is my understanding here ;)
Silvan
----- Ursprüngliche Mail ----- Von: "Benoit Panizzon" benoit.panizzon@imp.ch An: "Nico Schottelius" nico.schottelius@ungleich.ch CC: "swinog" swinog@lists.swinog.ch Gesendet: Donnerstag, 27. August 2020 15:33:53 Betreff: Re: [swinog] Announcement of 'china government' routes 125.208.4[567].0/24 forbidden?
Well, when I use the Sunrise LG:
BGP routing table entry for 125.208.47.0/24, version 252176985 Paths: (4 available, best #1, table default)
Not advertised to any peer ^------ see!
4134 24151 193.192.254.35 from 193.192.254.35 (212.161.178.83) Origin incomplete, metric 20, localpref 80, valid, internal, best Community: 6730:6200 6730:6222 4134 24151 193.192.254.34 from 193.192.254.34 (212.161.178.93) Origin incomplete, metric 20, localpref 80, valid, internal Community: 6730:6200 6730:6223 4134 24151 212.161.178.83 from 212.161.174.11 (212.161.174.11) Origin incomplete, metric 20, localpref 80, valid, internal Community: 6730:6200 6730:6222 Originator: 212.161.178.83, Cluster list: 0.0.3.120 4134 24151 212.161.178.83 from 212.161.174.10 (212.161.174.10) Origin incomplete, metric 20, localpref 80, valid, internal Community: 6730:6200 6730:6222 Originator: 212.161.178.83, Cluster list: 0.0.3.120
We don't get them!
Mit freundlichen Grüssen
-Benoît Panizzon-
Hi Benoit
Both DNS servers (NS.FMPRC.GOV.CN (125.208.45.1)) and NS3.FMPRC.GOV.CN (125.208.46.1) are slow, but working for me.
m@SRV-EXT01:~# dig +short A @NS.FMPRC.GOV.CN CH.CHINA-EMBASSY.ORG ch.china-embassy.org.whecloud.com. m@SRV-EXT01:~# dig +short A @NS3.FMPRC.GOV.CN CH.CHINA-EMBASSY.ORG ch.china-embassy.org.whecloud.com.
Freundliche Grüsse Matias Meier
-----Ursprüngliche Nachricht----- Von: swinog-bounces@lists.swinog.ch [mailto:swinog-bounces@lists.swinog.ch] Im Auftrag von Benoit Panizzon Gesendet: Donnerstag, 27. August 2020 17:16 An: swinog@lists.swinog.ch Betreff: [swinog] Announcement of 'china government' routes 125.208.4[567].0/24 forbidden?
Hi List
A customer complained, he cannot reach the website of chinese embassy in Switzerland.
CH.CHINA-EMBASSY.ORG
The DNS Servers are hosted under 125.208.4[567].0/24 and none of our peers do announce those routes to us.
The all, according to the looking glasses, seem to get those routes announced from AS24406 CNNIC but do not redistribute them.
Do others also see this issue?
Mit freundlichen Grüssen
-Benoît Panizzon-
On 2020-08-27 17:16, Benoit Panizzon wrote:
Hi List
A customer complained, he cannot reach the website of chinese embassy in Switzerland.
CH.CHINA-EMBASSY.ORG
The DNS Servers are hosted under 125.208.4[567].0/24 and none of our peers do announce those routes to us.
The all, according to the looking glasses, seem to get those routes announced from AS24406 CNNIC but do not redistribute them.
https://stat.ripe.net/125.208.46.1#tabId=at-a-glance
"125.208.46.0/24 is visible by 99% of 322 IPv4 RIS full peers."
Seems many get it.
Greets, Jeroen
Pudding:
Telia has a route amongst others:
traceroute to 125.208.46.1 (125.208.46.1), 30 hops max, 60 byte packets 1 r2win7.core.init7.net (213.144.131.49) 0.399 ms 0.300 ms 0.298 ms 2 r1win6.core.init7.net (77.109.140.194) 0.345 ms 0.303 ms 8.952 ms 3 r1zrh6.core.init7.net (82.197.168.101) 3.714 ms 7.947 ms 3.632 ms 4 r1glb1.core.init7.net (82.197.168.223) 0.696 ms 0.662 ms 0.774 ms 5 r1zrh2.core.init7.net (77.109.128.237) 0.949 ms 0.917 ms 0.872 ms 6 zch-b2-link.telia.net (62.115.148.48) 6.748 ms 6.817 ms 7.364 ms 7 prs-bb4-link.telia.net (62.115.135.128) 154.649 ms 153.825 ms 153.758 ms 8 ldn-bb3-link.telia.net (62.115.123.68) 157.327 ms ldn-bb3-link.telia.net (62.115.134.93) 156.875 ms ldn-bb3-link.telia.net (62.115.123.68) 156.408 ms 9 * * * 10 * chi-b23-link.telia.net (62.115.137.59) 113.334 ms * 11 sea-b2-link.telia.net (62.115.117.48) 155.829 ms 155.826 ms 155.446 ms 12 chinamobile-ic-342124-sea-b2.c.telia.net (62.115.171.221) 155.576 ms * 157.235 ms 13 223.120.6.53 (223.120.6.53) 169.313 ms * * 14 223.120.12.34 (223.120.12.34) 354.228 ms chinamobile-ic-342124-sea-b2.c.telia.net (62.115.171.221) 166.138 ms 223.120.12.34 (223.120.12.34) 354.171 ms 15 221.183.55.110 (221.183.55.110) 366.540 ms 366.853 ms * 16 * *^C
$ dig +trace CH.CHINA-EMBASSY.ORG
; <<>> DiG 9.16.3 <<>> +trace CH.CHINA-EMBASSY.ORG ;; global options: +cmd . 204425 IN NS h.root-servers.net. . 204425 IN NS m.root-servers.net. . 204425 IN NS k.root-servers.net. . 204425 IN NS g.root-servers.net. . 204425 IN NS b.root-servers.net. . 204425 IN NS i.root-servers.net. . 204425 IN NS d.root-servers.net. . 204425 IN NS l.root-servers.net. . 204425 IN NS a.root-servers.net. . 204425 IN NS f.root-servers.net. . 204425 IN NS c.root-servers.net. . 204425 IN NS j.root-servers.net. . 204425 IN NS e.root-servers.net. . 289637 IN RRSIG NS 8 0 518400 20200906170000 20200824160000 46594 . t6M8J6ex2mlP8Tn+WIlrNB7SAYPv+6+uWn6Ppeu1+IyRhHDYMfdBjG9n QoNUHv6tfhhAPoR4G1zbzRsH3JPciZMwiBJpHcp0Uz9wVQgJBl9PDQ1c fu8iA/7lXo8kCpB0/cgBjvfHfGXF+Gwsvrvve/A8zhxKbiRtgoDNRDe1 /3vkZzLJUODOqlXiIfm2qudMz/y01+siFYM/pgLk5zJbn/4BnAe/9kUc MbqGi7wD5SdlloJ0UYtu5q0LTVu5EQ6JC7s/qgxGAvEiBCRqlo1CKIP/ /bzs4+Krxu01pvGmlsnmOqOCff13EvKPaQt1yuzCO7VzYDXchOfazHnX n/mGJg== ;; Received 1125 bytes from 8.8.8.8#53(8.8.8.8) in 1 ms
org. 172800 IN NS b0.org.afilias-nst.org. org. 172800 IN NS a0.org.afilias-nst.info. org. 172800 IN NS b2.org.afilias-nst.org. org. 172800 IN NS a2.org.afilias-nst.info. org. 172800 IN NS d0.org.afilias-nst.org. org. 172800 IN NS c0.org.afilias-nst.info. org. 86400 IN DS 17883 7 1 38C5CF93B369C7557E0515FAAA57060F1BFB12C1 org. 86400 IN DS 17883 7 2 D889CAD790F01979E860D6627B58F85AB554E0E491FE06515F35548D 1EB4E6EE org. 86400 IN RRSIG DS 8 1 86400 20200909050000 20200827040000 46594 . DUBoJT8syNiDGXHXEivBinzu4dFrqKrNSL2Ppwx05Ze+ktzNjSMaBEdm qsWfpBJhgeafBORxwVaq2/4HtZUztd1syWETyBzz6/DjuMCej+vsj5W0 3dX2IfLQCbgL+15N3OsWsIdA87OADUUKFAP6Y18vhvAwMLxC8BuszBcF 8xEYSGGkEKV+rJTHsp1/aNBl0ovKuViB4Ja1cn8u3VQelhfM1IT6SvlB RH3AjpRGUhmuR4kkjKdHADX273nt7TIboLYaM8OPSC8fqjQRkOY5hvk/ h9UNfO0w6ms9MbURoKL7WFhk0glzLtAPcxjHPdkX1qM2U4OCv30kU17T eH2Xuw== ;; Received 853 bytes from 2001:500:200::b#53(b.root-servers.net) in 139 ms
china-embassy.org. 86400 IN NS ns.fmprc.gov.cn. china-embassy.org. 86400 IN NS ns3.fmprc.gov.cn. h9p7u7tr2u91d0v0ljs9l1gidnp90u3h.org. 86400 IN NSEC3 1 1 1 D399EAAB H9P94CHNCUOADBOKM57JBRIMA2O6J0IQ NS SOA RRSIG DNSKEY NSEC3PARAM h9p7u7tr2u91d0v0ljs9l1gidnp90u3h.org. 86400 IN RRSIG NSEC3 7 2 86400 20200917154745 20200827144745 21869 org. hVuKf+InL1VJg6zZWYfHiE/KWQTurhYGL1ZAm01XldC7qCkh0HvUPXJf YOfsh9ce6SW+SARSOcKDWY87geZn3iqfQ60aBYtVuz/paw+ShjTlO4pq Pk7xSFRqxXdwiziPyn8038TSbsj1Ub0gavY529ctsZu5e0HfvR/J3RlJ B9U= lj5kk87g89r6as6kb3eoge6c5ntsqup3.org. 86400 IN NSEC3 1 1 1 D399EAAB LJ5VCL7JSD1FEPHNTKQN18KLINQBD1PO NS DS RRSIG lj5kk87g89r6as6kb3eoge6c5ntsqup3.org. 86400 IN RRSIG NSEC3 7 2 86400 20200915152349 20200825142349 21869 org. NHHxgS9G+0ym7oM8KJnvqQuiANjC6gJnZNIcy5I3Ovek18S/oUOzPsoR 8YwzuFkypr5PvSS2lqA/iOlJzdJNq3lwOjaVgtnoVo0wOYzjGdg6C1ia wKm/gPJr/JEnipWWLof6uBjRNnsPeW5p8GPqmG0CyT9vLq+OCV1j1qNh +dU= ;; Received 606 bytes from 199.249.112.1#53(a2.org.afilias-nst.info) in 35 ms
CH.CHINA-EMBASSY.ORG. 3600 IN CNAME ch.china-embassy.org.whecloud.com. ;; Received 96 bytes from 125.208.46.1#53(ns3.fmprc.gov.cn) in 214 ms
-
Benoit Panizzon -
Jeroen Massar -
Matias Meier -
Nico Schottelius -
Ralph Krämer -
Silvan M. Gebhardt