Home page logo
/

nanog logo nanog mailing list archives

Re: Anyone notice strange announcements for 174.128.31.0/24
From: "Patrick W. Gilmore" <patrick () ianai net>
Date: Tue, 13 Jan 2009 12:31:12 -0500

On Jan 13, 2009, at 11:53 AM, David Barak wrote:
--- On Tue, 1/13/09, Jared Mauch <jared () puck nether net> wrote:

        No, they are both victims.  If I inject a path that
purports
there is an edge between two networks which are engaged in
a bitter
dispute, (i'll use cogent & sprint as an example) -
_1239_174_ that may
create a situation where someone asserts that their routes
are
being filtered when infact no connectivity exists.

That's a theoretical possibility, but who would be the one doing the asserting? I would argue that it would either be the owner of the announced space or someone trying to reach it. In this case, nobody was trying to reach the /24 in question, and the owner was the one doing the experiment. Victimless crime, at most.

Interesting. You think it is OK to use my my ASN for things as long as no one is trying to do those things?


        Does that mean that I hijacked their identiy and forged
it?  What level of trust do you place in the AS_PATH for your
routing, debugging and
decision making process?

AS_PATH != identity, and I would not recommend loading the latter onto the former.

We disagree. When I am researching something, I frequently look at ASNs in the path to figure out not just where but who controls the path.


        Personally, I would be upset if someone injected a route
with my ASN in the AS_PATH without my permission.

Why? Is this a theoretical "because it's ugly" complaint, or is there a reason why manipulating this particular BGP attribute in this particular way is so bad? Organizations do filtering and routing manipulation all over the place. Is there something worse about doing it this way than others?

Filtering and other manipulation happened on your router, prepending my ASN is putting that information into every router. That seems to be a serious qualitative difference to me. Do you disagree?


This thread has been interesting & educational. So many people seem to be happy to explain why they should be allowed to use globally unique identifiers they do not own in ways which were not intended, then explain to the people who do own those identifiers how they should react, which alarms should go off, and even which priority the alarms should have.

As I have repeated probably hundreds of times: Your network, your decision. I have yet to hear a credible argument against that stance. What you do _inside_ your network is _your_ decision. When it leaves your network, however, things change.

Announcing an ASN which is not yours to eBGP peers means it is leaving your network, which means it is not just your business. Doing so and then telling the ASN owner that they should not worry about it afterwards - and in fact arguing when the owner repeatedly tells you this caused them problems - does not seem to be the proper course of action.


I mentioned earlier in the thread if Cogent prepending Sprint's ASN to Verio, people would react differently. Randy said tools can be used for good or bad, obviously implying he's the good guy. He is not the good guy. He used someone else's resources without their permission and without even notifying them, costing them time & effort. Randy doesn't get to decide if the ASN owner should have alerted or investigated or whatever, and neither do any of you unless it is your ASN.

How can anyone seriously argue the ASN owner is somehow wrong and keep a straight face? How can anyone else who actually runs a network not see that as ridiculous?

--
TTFN,
patrick



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault