mailing list archives
Re: Anyone notice strange announcements for 220.127.116.11/24
From: "Patrick W. Gilmore" <patrick () ianai net>
Date: Tue, 13 Jan 2009 12:31:12 -0500
On Jan 13, 2009, at 11:53 AM, David Barak wrote:
--- On Tue, 1/13/09, Jared Mauch <jared () puck nether net> wrote:
No, they are both victims. If I inject a path that
there is an edge between two networks which are engaged in
dispute, (i'll use cogent & sprint as an example) -
_1239_174_ that may
create a situation where someone asserts that their routes
being filtered when infact no connectivity exists.
That's a theoretical possibility, but who would be the one doing the
asserting? I would argue that it would either be the owner of the
announced space or someone trying to reach it. In this case, nobody
was trying to reach the /24 in question, and the owner was the one
doing the experiment. Victimless crime, at most.
Interesting. You think it is OK to use my my ASN for things as long
as no one is trying to do those things?
Does that mean that I hijacked their identiy and forged
it? What level of trust do you place in the AS_PATH for your
routing, debugging and
decision making process?
AS_PATH != identity, and I would not recommend loading the latter
onto the former.
We disagree. When I am researching something, I frequently look at
ASNs in the path to figure out not just where but who controls the path.
Personally, I would be upset if someone injected a route
with my ASN in the AS_PATH without my permission.
Why? Is this a theoretical "because it's ugly" complaint, or is
there a reason why manipulating this particular BGP attribute in
this particular way is so bad? Organizations do filtering and
routing manipulation all over the place. Is there something worse
about doing it this way than others?
Filtering and other manipulation happened on your router, prepending
my ASN is putting that information into every router. That seems to
be a serious qualitative difference to me. Do you disagree?
This thread has been interesting & educational. So many people seem
to be happy to explain why they should be allowed to use globally
unique identifiers they do not own in ways which were not intended,
then explain to the people who do own those identifiers how they
should react, which alarms should go off, and even which priority the
alarms should have.
As I have repeated probably hundreds of times: Your network, your
decision. I have yet to hear a credible argument against that
stance. What you do _inside_ your network is _your_ decision. When
it leaves your network, however, things change.
Announcing an ASN which is not yours to eBGP peers means it is leaving
your network, which means it is not just your business. Doing so and
then telling the ASN owner that they should not worry about it
afterwards - and in fact arguing when the owner repeatedly tells you
this caused them problems - does not seem to be the proper course of
I mentioned earlier in the thread if Cogent prepending Sprint's ASN to
Verio, people would react differently. Randy said tools can be used
for good or bad, obviously implying he's the good guy. He is not the
good guy. He used someone else's resources without their permission
and without even notifying them, costing them time & effort. Randy
doesn't get to decide if the ASN owner should have alerted or
investigated or whatever, and neither do any of you unless it is your
How can anyone seriously argue the ASN owner is somehow wrong and keep
a straight face? How can anyone else who actually runs a network not
see that as ridiculous?