netsec-sig - Re: [Security-WG] Perverse Routing
Subject: Internet2 Network Security SIG
List archive
- From: David Farmer <>
- To: NTAC <>, ,
- Subject: Re: [Security-WG] Perverse Routing
- Date: Sun, 29 Dec 2019 00:41:58 -0600
About 20 months ago I sent a similar message, forwarded below; Note: Most the same routes and ASNs are involved
Thinking about the recirculation of I2PX routes, this is effectively a routing loop and a consequence of using a different ASN for I2PX. If the same ASN was used BGP would have automatically blocked this. Therefore, I suggest filtering any routes containing AS11164 on ingress to AS11537 and vice versa, this should be considered a routing loop plan and simple.
Thanks
---------- Forwarded message ---------
From: David Farmer <>
Date: Sat, Apr 7, 2018 at 3:28 PM
Subject: R&E routing anomalies
To: <>
From: David Farmer <>
Date: Sat, Apr 7, 2018 at 3:28 PM
Subject: R&E routing anomalies
To: <>
I looked a little deeper and found several things that at least at first glance look like routing anomalies in the R&E routing table. It is possible that some of these are intentional, but I suspect at least some of these are mistakes or some other kind of problem.
MAGPI, MATP, NCREN, and OneNet should all take a close look;
There are a number routes with TR/CPS in the AS path from a few different connectors.
*> 24.199.205.0/24 146.57.255.241 2691 202 0 11537 81 11164 7843 11426 i
*> 64.5.144.0/24 146.57.255.241 2142 202 0 11537 40220 11164 22773 19354 i
*> 64.5.147.0/24 146.57.255.241 2142 202 0 11537 40220 11164 22773 i
*> 128.82.0.0/16 146.57.255.241 2142 202 0 11537 40220 11164 22773 12064 1201 ?
*>i129.244.0.0/16 146.57.255.241 1106 202 0 11537 5078 11164 22773 i
*> 137.198.0.0/16 146.57.255.241 2142 202 0 11537 40220 11164 22773 14655 i
*> 151.188.0.0/16 146.57.255.241 2142 202 0 11537 40220 11164 22773 21984 i
*> 204.43.128.0/17 146.57.255.241 3568 202 0 11537 62600 11164 22773 6172 6172 6172 6172 i
*> 206.202.192.0/18 146.57.255.241 1106 202 0 11537 5078 11164 22773 i
*> 216.54.48.0/24 146.57.255.241 2142 202 0 11537 40220 11164 22773 i
*> 216.54.49.0/24 146.57.255.241 2142 202 0 11537 40220 11164 22773 i
*> 216.235.226.0/24 146.57.255.241 2142 202 0 11537 40220 11164 6939 26202 i
Also, there are several routes with transit providers in the AS path, mostly international, but a few by connectors too.
*> 42.83.137.0/24 146.57.255.241 2735 202 0 11537 22388 7660 4641 4641 6939 24785 8763 8763 8763 8763 24151 i
*> 42.83.138.0/24 146.57.255.241 2735 202 0 11537 22388 7660 4641 4641 6939 28917 39134 15835 24406 i
*> 64.147.208.0/20 146.57.255.241 2691 202 0 11537 81 3356 27446 i
*> 91.222.202.0/24 146.57.255.241 2749 202 0 11537 8895 3257 39386 25233 47805 i
*> 91.222.203.0/24 146.57.255.241 2749 202 0 11537 8895 3257 39386 25233 47805 i
*> 91.227.24.0/23 146.57.255.241 2749 202 0 11537 8895 3257 48237 35819 56714 i
*> 103.26.196.0/24 146.57.255.241 2735 202 0 11537 22388 7660 23855 24514 3257 132354 132874 i
*> 103.82.167.0/24 146.57.255.241 2735 202 0 11537 22388 7660 24287 24490 18007 64302 136059 7713 136059 i
*> 103.227.140.0/24 146.57.255.241 2735 202 0 11537 22388 7660 23855 24514 3257 45630 134809 133408 i
*> 125.208.43.0/24 146.57.255.241 2735 202 0 11537 22388 7660 4641 4641 6939 28917 39134 15835 24406 i
*> 125.208.44.0/24 146.57.255.241 2735 202 0 11537 22388 7660 4641 4641 6939 28917 39134 15835 24406 i
*> 130.156.192.0/20 146.57.255.241 2564 202 0 11537 10466 21976 1299 7922 33659 i
*> 133.12.0.0/16 146.57.255.241 2735 202 0 11537 22388 7660 2500 2497 i
*> 133.186.0.0/17 146.57.255.241 2735 202 0 11537 22388 7660 2500 2516 10010 i
*> 192.138.169.0/24 146.57.255.241 2186 202 0 11537 297 209 3356 188 i
*> 193.232.66.0/23 146.57.255.241 2749 202 0 11537 2603 3267 5568 43832 42385 12389 45029 42385 i
*> 204.84.32.0/20 146.57.255.241 2691 202 0 11537 81 3356 27446 i
*> 210.2.4.0/24 146.57.255.241 2735 202 0 11537 22388 7660 4641 4641 6939 28917 39134 15835 24406 i
*> 210.25.0.0/17 146.57.255.241 3809 202 0 11537 23911 4538 4134 i
Finally, there are three routes from CDNs, two are the ones I brought up before, all seem to be international.
*> 104.237.175.0/24 146.57.255.241 2749 202 0 11537 36944 327687 36040 i
*> 104.237.191.0/24 146.57.255.241 2749 202 0 11537 36944 327687 36040 i
*> 200.136.36.0/24 146.57.255.241 3119 202 0 11537 1251 20940 i
Thanks
On Sat, Dec 28, 2019 at 11:51 AM David Farmer <> wrote:
I'm sorry for cross-posting and for naming and shaming, but I think this needs some attention.These I2 R&E routes all have major commercial transit providers in their AS Paths, a couple even more than one, and one is recirculating an ESNet route via a comercial ISP.*> 42.83.130.0/24 146.57.255.241 2735 202 0 11537 22388 7660 7497 4635 6939 24785 8763 8763 8763 8763 24151 i*> 103.26.196.0/24 146.57.255.241 3809 202 0 11537 23855 23855 24514 3257 132354 132874 i
*> 42.83.132.0/24 146.57.255.241 2735 202 0 11537 22388 7660 7497 4635 6939 24785 8763 8763 8763 8763 24151 i
*> 42.83.137.0/24 146.57.255.241 2735 202 0 11537 22388 7660 7497 4635 6939 24785 8763 8763 8763 8763 24151 i
*> 119.40.112.0/24 146.57.255.241 3809 202 0 11537 23855 23855 24514 3257 9930 38868 38868 38868 38868 ?
*> 119.40.124.0/24 146.57.255.241 3809 202 0 11537 23855 23855 24514 3257 9930 38868 38868 38868 38868 ?*> 125.208.34.0/24 146.57.255.241 2735 202 0 11537 22388 7660 7497 4635 6939 24785 8763 8763 8763 8763 24151 i
*> 125.208.41.0/24 146.57.255.241 2735 202 0 11537 22388 7660 7497 4635 6939 24785 8763 8763 8763 8763 24151 i*> 170.158.66.0/23 146.57.255.241 1379 202 0 11537 3754 46158 46158 46158 46158 46158 46887 3356 6453 55002 i
* 192.188.178.0/23 146.57.255.241 2566 202 0 11537 10466 88 6939 293 293 293 50 i*> 199.59.212.0/22 146.57.255.241 2693 202 0 11537 81 3356 19271 29901 i*> 202.45.133.0/24 146.57.255.241 3809 202 0 11537 23855 23855 24514 3257 45630 24314 i*> 203.119.28.0/24 146.57.255.241 2735 202 0 11537 22388 7660 7497 4635 6939 24785 8763 8763 8763 8763 24151 iProbably even worse these have major commercial transit providers and I2PX in their AS Paths*> 24.199.205.0/24 146.57.255.241 2693 202 0 11537 81 11164 7843 11426 i
*> 64.5.147.0/24 146.57.255.241 2143 202 0 11537 40220 11164 22773 i
*> 65.254.166.0/24 146.57.255.241 2143 202 0 11537 40220 11164 6939 22299 i
*> 65.254.181.0/24 146.57.255.241 2143 202 0 11537 40220 11164 6939 22299 i
*> 65.254.182.0/24 146.57.255.241 2143 202 0 11537 40220 11164 6939 22299 i
*> 65.254.183.0/24 146.57.255.241 2143 202 0 11537 40220 11164 6939 22299 i
*> 65.254.184.0/24 146.57.255.241 2143 202 0 11537 40220 11164 6939 22299 47036 i
*> 65.254.185.0/24 146.57.255.241 2143 202 0 11537 40220 11164 6939 22299 47036 i
*> 128.82.0.0/16 146.57.255.241 2143 202 0 11537 40220 11164 22773 1201 1201 1201 1201 ?
*> 137.198.0.0/16 146.57.255.241 2143 202 0 11537 40220 11164 22773 14655 i
*> 151.188.0.0/16 146.57.255.241 2143 202 0 11537 40220 11164 22773 21984 i
*> 204.84.32.0/20 146.57.255.241 2693 202 0 11537 81 11164 6939 27446 i
*> 216.54.48.0/24 146.57.255.241 2143 202 0 11537 40220 11164 22773 i
*> 216.54.49.0/24 146.57.255.241 2143 202 0 11537 40220 11164 22773 i
*> 216.146.50.0/24 146.57.255.241 2143 202 0 11537 40220 11164 6939 22299 i
*> 216.235.226.0/24 146.57.255.241 2143 202 0 11537 40220 11164 6939 26202 i
*> 216.235.226.0/24 146.57.255.241 2143 202 0 11537 40220 11164 6939 26202 iAnd these are Google Global Cache Anycast addresses that probably shouldn't be in the R&E table, especially coming from Africa. Please note that I receive 104.237.191.0/24 via local peering with Google and was routing it to Africa until I reduced the local pref of these routes.*> 104.237.175.0/24 146.57.255.241 2751 10 0 11537 36944 327687 36040 i
* 104.237.191.0/24 146.57.255.241 2751 10 0 11537 36944 327687 36040 iI suppose some of these could be temporary issues, but I've seen many of these in the R&E table for a while now. So, could someone from Internet2 or GRNOC work with these connectors and international partners to clean up these issues? Even if that means Internet2 needs to filter some of these routes.Once cleaned up, I'd like to recommend sanity filters to prevent the reoccurrence of these types of issues. Minimally I'd like to suggest that connectors should not be allowed to recirculate I2PX and ESNet routes into the R&E table, but I'd also like major commercial ISP to be included too.Thanks--===============================================
David Farmer
Networking & Telecommunication Services
Office of Information Technology
University of Minnesota
2218 University Ave SE Phone: 612-626-0815
Minneapolis, MN 55414-3029 Cell: 612-812-9952
===============================================
===============================================
David Farmer
Networking & Telecommunication Services
Office of Information Technology
University of Minnesota
2218 University Ave SE Phone: 612-626-0815
Minneapolis, MN 55414-3029 Cell: 612-812-9952
===============================================
David Farmer
Networking & Telecommunication Services
Office of Information Technology
University of Minnesota
2218 University Ave SE Phone: 612-626-0815
Minneapolis, MN 55414-3029 Cell: 612-812-9952
===============================================
- [Security-WG] Perverse Routing, David Farmer, 12/28/2019
- Re: [Security-WG] [NTAC] Perverse Routing, Chris Robb, 12/28/2019
- Re: [Security-WG] [NTAC] Perverse Routing, David Farmer, 12/28/2019
- Re: [Security-WG] [NTAC] Perverse Routing, Jeff Bartig, 12/30/2019
- Re: [Security-WG] [NTAC] Perverse Routing, David Farmer, 12/30/2019
- Re: [Security-WG] [NTAC] Perverse Routing, Jeff Bartig, 12/30/2019
- Re: [Security-WG] [NTAC] Perverse Routing, David Farmer, 12/28/2019
- Re: [Security-WG] [NTAC] Perverse Routing, Bill Owens, 12/28/2019
- Re: [Security-WG] [NTAC] Perverse Routing, Michael H Lambert, 12/29/2019
- Re: [Security-WG] [NTAC] Perverse Routing, David Farmer, 12/29/2019
- Re: [Security-WG] [NTAC] Perverse Routing, Michael H Lambert, 12/29/2019
- Re: [Security-WG] Perverse Routing, David Farmer, 12/28/2019
- Re: [Security-WG] Perverse Routing, David Farmer, 12/29/2019
- Re: [Security-WG] [NTAC] Perverse Routing, Chris Robb, 12/28/2019
Archive powered by MHonArc 2.6.19.