mailing list archives
Re: Is AS information useful for security?
From: Paolo Lucente <pl+list () pmacct net>
Date: Thu, 15 Dec 2011 17:35:44 +0000
On Thu, Dec 15, 2011 at 11:28:48AM -0500, Drew Weaver wrote:
I could be wrong here but I believe origin-AS uses a lookup from the routing table to figure out what the originAS
for the source IP should be (and not what it explicitly IS) which means the information is unreliable.
Using a bit of Cisco jargon, i believe we speak of source peer-AS and
asymmetric routing. True what you say but a more accurate information
can be achieved by correlation, ie. against the input interface. This
leaves open the case of input traffic from a shared medium ie. an IXP.
If using sFlow, MAC layer information would be pretty much available
for the job; if using NetFlow instead, NetFlow v9 (and IPFIX .. brrr)
could come to the rescue .. if was not for lack of implementation of
the MAC layer primitives for routed traffic (ie. not switched) by the
vendors on the bigger pieces of iron (ie. no ASR1K, software routers,