Skip to Content.
Sympa Menu

netsec-sig - Re: [Security-WG] Perverse Routing

Subject: Internet2 Network Security SIG

List archive

Re: [Security-WG] Perverse Routing


Chronological Thread 
  • From: David Farmer <>
  • To: NTAC <>, ,
  • Subject: Re: [Security-WG] Perverse Routing
  • Date: Sun, 29 Dec 2019 00:41:58 -0600

About 20 months ago I sent a similar message, forwarded below; Note: Most the same routes and ASNs are involved

Thinking about the recirculation of I2PX routes, this is effectively a routing loop and a consequence of using a different ASN for I2PX. If the same ASN was used BGP would have automatically blocked this. Therefore, I suggest filtering any routes containing AS11164 on ingress to AS11537 and vice versa, this should be considered a routing loop plan and simple.

Thanks
 
---------- Forwarded message ---------
From: David Farmer <>
Date: Sat, Apr 7, 2018 at 3:28 PM
Subject: R&E routing anomalies
To: <>


I looked a little deeper and found several things that at least at first glance look like routing anomalies in the R&E routing table.  It is possible that some of these are intentional, but I suspect at least some of these are mistakes or some other kind of problem.

MAGPI, MATP, NCREN, and OneNet should all take a close look;

There are a number routes with TR/CPS in the AS path from a few different connectors. 

*> 24.199.205.0/24    146.57.255.241        2691    202      0 11537 81 11164 7843 11426 i
*> 64.5.144.0/24      146.57.255.241        2142    202      0 11537 40220 11164 22773 19354 i
*> 64.5.147.0/24      146.57.255.241        2142    202      0 11537 40220 11164 22773 i
*> 128.82.0.0/16      146.57.255.241        2142    202      0 11537 40220 11164 22773 12064 1201 ?
*>i129.244.0.0/16     146.57.255.241        1106    202      0 11537 5078 11164 22773 i
*> 137.198.0.0/16     146.57.255.241        2142    202      0 11537 40220 11164 22773 14655 i
*> 151.188.0.0/16     146.57.255.241        2142    202      0 11537 40220 11164 22773 21984 i
*> 204.43.128.0/17    146.57.255.241        3568    202      0 11537 62600 11164 22773 6172 6172 6172 6172 i
*> 206.202.192.0/18   146.57.255.241        1106    202      0 11537 5078 11164 22773 i
*> 216.54.48.0/24     146.57.255.241        2142    202      0 11537 40220 11164 22773 i
*> 216.54.49.0/24     146.57.255.241        2142    202      0 11537 40220 11164 22773 i
*> 216.235.226.0/24   146.57.255.241        2142    202      0 11537 40220 11164 6939 26202 i

Also, there are several routes with transit providers in the AS path, mostly international, but a few by connectors too.

*> 42.83.137.0/24     146.57.255.241        2735    202      0 11537 22388 7660 4641 4641 6939 24785 8763 8763 8763 8763 24151 i
*> 42.83.138.0/24     146.57.255.241        2735    202      0 11537 22388 7660 4641 4641 6939 28917 39134 15835 24406 i
*> 64.147.208.0/20    146.57.255.241        2691    202      0 11537 81 3356 27446 i
*> 91.222.202.0/24    146.57.255.241        2749    202      0 11537 8895 3257 39386 25233 47805 i
*> 91.222.203.0/24    146.57.255.241        2749    202      0 11537 8895 3257 39386 25233 47805 i
*> 91.227.24.0/23     146.57.255.241        2749    202      0 11537 8895 3257 48237 35819 56714 i
*> 103.26.196.0/24    146.57.255.241        2735    202      0 11537 22388 7660 23855 24514 3257 132354 132874 i
*> 103.82.167.0/24    146.57.255.241        2735    202      0 11537 22388 7660 24287 24490 18007 64302 136059 7713 136059 i
*> 103.227.140.0/24   146.57.255.241        2735    202      0 11537 22388 7660 23855 24514 3257 45630 134809 133408 i
*> 125.208.43.0/24    146.57.255.241        2735    202      0 11537 22388 7660 4641 4641 6939 28917 39134 15835 24406 i
*> 125.208.44.0/24    146.57.255.241        2735    202      0 11537 22388 7660 4641 4641 6939 28917 39134 15835 24406 i
*> 130.156.192.0/20   146.57.255.241        2564    202      0 11537 10466 21976 1299 7922 33659 i
*> 133.12.0.0/16      146.57.255.241        2735    202      0 11537 22388 7660 2500 2497 i
*> 133.186.0.0/17     146.57.255.241        2735    202      0 11537 22388 7660 2500 2516 10010 i
*> 152.41.0.0/16      146.57.255.241        2691    202      0 11537 81 209 3257 2711 26903 22854 i
*> 192.138.169.0/24   146.57.255.241        2186    202      0 11537 297 209 3356 188 i
*> 193.232.66.0/23    146.57.255.241        2749    202      0 11537 2603 3267 5568 43832 42385 12389 45029 42385 i
*> 194.246.96.0/24    146.57.255.241        2735    202      0 11537 22388 7660 4641 4641 6939 24785 8763 31529 i
*> 204.84.32.0/20     146.57.255.241        2691    202      0 11537 81 3356 27446 i
*> 210.2.4.0/24       146.57.255.241        2735    202      0 11537 22388 7660 4641 4641 6939 28917 39134 15835 24406 i
*> 210.25.0.0/17      146.57.255.241        3809    202      0 11537 23911 4538 4134 i

Finally, there are three routes from CDNs, two are the ones I brought up before, all seem to be international.

*> 104.237.175.0/24   146.57.255.241        2749    202      0 11537 36944 327687 36040 i
*> 104.237.191.0/24   146.57.255.241        2749    202      0 11537 36944 327687 36040 i
*> 200.136.36.0/24    146.57.255.241        3119    202      0 11537 1251 20940 i

Thanks

On Sat, Dec 28, 2019 at 11:51 AM David Farmer <> wrote:
I'm sorry for cross-posting and for naming and shaming, but I think this needs some attention.

These I2 R&E routes all have major commercial transit providers in their AS Paths, a couple even more than one, and one is recirculating an ESNet route via a comercial ISP.
*> 42.83.130.0/24     146.57.255.241        2735    202      0 11537 22388 7660 7497 4635 6939 24785 8763 8763 8763 8763 24151 i
*> 42.83.132.0/24     146.57.255.241        2735    202      0 11537 22388 7660 7497 4635 6939 24785 8763 8763 8763 8763 24151 i
*> 42.83.137.0/24     146.57.255.241        2735    202      0 11537 22388 7660 7497 4635 6939 24785 8763 8763 8763 8763 24151 i
*> 82.194.8.0/24      146.57.255.241        2188    202      0 11537 20965 202993 3356 29049 29584 i
*> 98.179.129.0/24    146.57.255.241        3358    202      0 11537 62600 209 209 209 209 12189 20454 53372 i
*> 103.26.196.0/24    146.57.255.241        3809    202      0 11537 23855 23855 24514 3257 132354 132874 i
*> 119.40.112.0/24    146.57.255.241        3809    202      0 11537 23855 23855 24514 3257 9930 38868 38868 38868 38868 ?
*> 119.40.124.0/24    146.57.255.241        3809    202      0 11537 23855 23855 24514 3257 9930 38868 38868 38868 38868 ?
*> 125.208.34.0/24    146.57.255.241        2735    202      0 11537 22388 7660 7497 4635 6939 24785 8763 8763 8763 8763 24151 i
*> 125.208.41.0/24    146.57.255.241        2735    202      0 11537 22388 7660 7497 4635 6939 24785 8763 8763 8763 8763 24151 i
*> 170.158.66.0/23    146.57.255.241        1379    202      0 11537 3754 46158 46158 46158 46158 46158 46887 3356 6453 55002 i
*  192.188.178.0/23   146.57.255.241        2566    202      0 11537 10466 88 6939 293 293 293 50 i
*> 195.162.72.0/23    146.57.255.241        2751    202      0 11537 8895 3356 57344 197304 i
*> 195.189.212.0/24   146.57.255.241        2751    202      0 11537 8895 6453 6762 39386 25233 i
*> 199.59.212.0/22    146.57.255.241        2693    202      0 11537 81 3356 19271 29901 i
*> 199.125.69.0/24    146.57.255.241        2751    202      0 11537 10578 14325 6939 7922 14265 i
*> 202.45.133.0/24    146.57.255.241        3809    202      0 11537 23855 23855 24514 3257 45630 24314 i
*> 203.119.28.0/24    146.57.255.241        2735    202      0 11537 22388 7660 7497 4635 6939 24785 8763 8763 8763 8763 24151 i
*  203.119.33.0/24    146.57.255.241        2735    202      0 11537 22388 7660 7497 3491 21859 24151 i

Probably even worse these have major commercial transit providers and I2PX in their AS Paths 
*> 24.199.205.0/24    146.57.255.241        2693    202      0 11537 81 11164 7843 11426 i
*> 64.5.147.0/24      146.57.255.241        2143    202      0 11537 40220 11164 22773 i
*> 65.254.166.0/24    146.57.255.241        2143    202      0 11537 40220 11164 6939 22299 i
*> 65.254.181.0/24    146.57.255.241        2143    202      0 11537 40220 11164 6939 22299 i
*> 65.254.182.0/24    146.57.255.241        2143    202      0 11537 40220 11164 6939 22299 i
*> 65.254.183.0/24    146.57.255.241        2143    202      0 11537 40220 11164 6939 22299 i
*> 65.254.184.0/24    146.57.255.241        2143    202      0 11537 40220 11164 6939 22299 47036 i
*> 65.254.185.0/24    146.57.255.241        2143    202      0 11537 40220 11164 6939 22299 47036 i
*> 128.82.0.0/16      146.57.255.241        2143    202      0 11537 40220 11164 22773 1201 1201 1201 1201 ?
*> 137.198.0.0/16     146.57.255.241        2143    202      0 11537 40220 11164 22773 14655 i
*> 151.188.0.0/16     146.57.255.241        2143    202      0 11537 40220 11164 22773 21984 i
*> 204.84.32.0/20     146.57.255.241        2693    202      0 11537 81 11164 6939 27446 i
*> 216.54.48.0/24     146.57.255.241        2143    202      0 11537 40220 11164 22773 i
*> 216.54.49.0/24     146.57.255.241        2143    202      0 11537 40220 11164 22773 i
*> 216.146.50.0/24    146.57.255.241        2143    202      0 11537 40220 11164 6939 22299 i
*> 216.235.226.0/24   146.57.255.241        2143    202      0 11537 40220 11164 6939 26202 i
*> 216.235.226.0/24   146.57.255.241        2143    202      0 11537 40220 11164 6939 26202 i

And these are Google Global Cache Anycast addresses that probably shouldn't be in the R&E table, especially coming from Africa. Please note that I receive 104.237.191.0/24 via local peering with Google and was routing it to Africa until I reduced the local pref of these routes.
*> 104.237.175.0/24   146.57.255.241        2751     10      0 11537 36944 327687 36040 i
*  104.237.191.0/24   146.57.255.241        2751     10      0 11537 36944 327687 36040 i

I suppose some of these could be temporary issues, but I've seen many of these in the R&E table for a while now. So, could someone from Internet2 or GRNOC work with these connectors and international partners to clean up these issues? Even if that means Internet2 needs to filter some of these routes.

Once cleaned up, I'd like to recommend sanity filters to prevent the reoccurrence of these types of issues. Minimally I'd like to suggest that connectors should not be allowed to recirculate I2PX and ESNet routes into the R&E table, but I'd also like major commercial ISP to be included too. 

Thanks
--
===============================================
David Farmer              
Networking & Telecommunication Services
Office of Information Technology
University of Minnesota  
2218 University Ave SE        Phone: 612-626-0815
Minneapolis, MN 55414-3029   Cell: 612-812-9952
===============================================


--
===============================================
David Farmer              
Networking & Telecommunication Services
Office of Information Technology
University of Minnesota  
2218 University Ave SE        Phone: 612-626-0815
Minneapolis, MN 55414-3029   Cell: 612-812-9952
===============================================



Archive powered by MHonArc 2.6.19.

Top of Page