New version

Posted by Andree Toonk - March 31, 2009 - - No Comments
Since NANOG45  I was filled with inspiration for new features in Many of you have sent me your feedback and whenever possible I implemented the smaller feature request and bug fixes. Today the newest version went live; this version contains some of bigger changes and improvements. In this Blog post I will go over some of the major changes. These changes include the features listed below:
  1. Support for multiple Origin ASN’s.
  2. Support for multiple upstream ASN’s.
  3. Improved BGP Man in the Middle (BGP MITM) attack detection.
  4. Ignoring certain prefixes
  5. Ignoring certain ASpaths
  6. Changed email layout
  7. False positive handling
Besides these new features, there are a number of small bug fixes as well as some performance related improvements.  If you have any questions or feedback please sent me an email or leave a comment on this Blog.

Support for multiple Origin ASN’s.

If your prefix is announced by multiple origin ASNs this is the feature you were looking for. It will allow you to specify a list of additional orgin ASns that are allowed to originate this prefix. This feature is for all my anycast friends out there. In the previous release this was possible by setting your origin AS to 0 (allow all origin AS) and use the regular expression functionality to monitor for allowed orgin ASn. It’s recommended to from now on use the Additional Origin ASN feature. An auto-detect additional origin ASn feature is available.

Support for multiple Upstream ASN’s.

This feature allows you to specify a list of allowed upstream (transit / peer) ASns, that are allowed as a next hop ASN, i.e upstream ASN.  Previously many users used the regular expression for this. It’s recommended to from now on use the upstream ASN field for this.  An auto-detect upstream ASN feature is available to help you cut and paste all your upstreams.

Support for ignore lists.

This is a feature many of you have asked for since the beginning. A way to ignore certain prefixes or ASpaths. This feature allows you to ignore prefixes as well as specific ASpaths. If you ignore an ASpath you can choose to only do this for a specific prefix or for all your prefixes. The ignore list should help you to receive less irrelevant alarms.

Changed email layout.

Over the last few months I received quite some feedback regarding the notification emails. I hope that the new layout is an improvement. Besides the layout changes there are two other significant changes. All alarms are now grouped per 5 minutes. This should make your email a bit shorter.  Previously they were grouped per 1 minute, which sometimes meant you would see the same alarms multiple times (one for each minute in that 5 minute interval). This also means that the peer threshold numbers have changed from a per 1 minute threshold to a per 5 minute threshold. So you might want to increase your (withdraw) thresholds. The second big change: each alarm messages contains a false alert url. By clicking on this url you are able to mark that specific alarm as a false positive.

False positive handling.

In order to help you fine tune your configuration, there’s now support for marking alarms as false positive. Depending on the kind of alarm it will ask you if you want to add the offending attribute to your configuration or to the ignore list. Overall this new version includes quite some improvements and new features.  All these features are implemented based on the feedback I received from the community over the last few months.  Please let me know your experiences, so together we can keep improving the system.

No comments

Leave a Reply

Your email address will not be published. Required fields are marked *