Home page logo
/

nanog logo nanog mailing list archives

Re: Anyone notice strange announcements for 174.128.31.0/24
From: Jared Mauch <jared () puck nether net>
Date: Tue, 13 Jan 2009 13:24:05 -0500

On Tue, Jan 13, 2009 at 08:53:42AM -0800, David Barak wrote:
--- On Tue, 1/13/09, Jared Mauch <jared () puck nether net> wrote:
    Does that mean that I hijacked their identiy and forged
it?  What level of trust do you place in the AS_PATH for your
routing, debugging and
decision making process?

AS_PATH != identity, and I would not recommend loading the latter 
onto the former.

        But it does represent an interesting thing.  Many people treat
AS_PATH as identiy, when infact it's not congruent.

    Personally, I would be upset if someone injected a route
with my ASN in the AS_PATH without my permission.

Why?  Is this a theoretical "because it's ugly" complaint, or is there a 
reason why manipulating this particular BGP attribute in this particular 
way is so bad?  Organizations do filtering and routing manipulation all 
over the place.  Is there something worse about doing it this way than others?

        This is not "because it's ugly", but more complex to understand
the interaction.

        People have asserted that injecting an as-path with 2914 will
utilize the loop-detection mechanisim to prevent reachability if your
transit is from 1239 or 174.

        Except that 174 filters out these asns from their customers.

        I've noticed zero complaints since my 'detecting routing leaks by
counting' system was presented at nanog that were not actual leaks when 
too many SFI (tier-1?) asns showed up in a path.

        While most of the challenge could be uneducated readers of an
as-path, without the protocol being changed, it really depends on the
elements in the path being genuine.  Without this trust, we should all
configure our routers to allow our own as in, or work to make it the new
default, and ask providers to change their filtering of other SFI asns
from their customer as-paths.

        - jared

-- 
Jared Mauch  | pgp key available via finger from jared () puck nether net
clue++;      | http://puck.nether.net/~jared/  My statements are only mine.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]