[140284] in North American Network Operators' Group
Re: Suspecious anycast prefixes
daemon@ATHENA.MIT.EDU (Yaoqing(Joey) Liu)
Mon May 9 10:05:43 2011
In-Reply-To: <20110505182433.GD1798@vacation.karoshi.com.>
Date: Mon, 9 May 2011 09:05:36 -0500
From: "Yaoqing(Joey) Liu" <joey.liuyq@gmail.com>
To: bmanning@vacation.karoshi.com
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Thu, May 5, 2011 at 1:24 PM, <bmanning@vacation.karoshi.com> wrote:
> On Thu, May 05, 2011 at 09:36:50AM -0500, Yaoqing(Joey) Liu wrote:
>> On Thu, May 5, 2011 at 3:54 AM, Joe Abley <jabley@hopcount.ca> wrote:
>> >
>> > On 2011-05-05, at 11:46, bmanning@vacation.karoshi.com wrote:
>> >
>> >> On Wed, May 04, 2011 at 10:23:12PM -0500, Yaoqing(Joey) Liu wrote:
>> >>> 198.32.64.0/24
>> >>> AS4555:ASName: EP0-BLK-ASNBLOCK-5;OrgName:Almond Oil Process, LLC.
>> >>> AS9584:as-name:GENESIS-AP|descr:Diyixian.com Limited|country:HK
>> >>> AS20144:ASName: L-ROOT;Comment:distributed using Anycast.
>> >>> AS42909: as-name: =A0 =A0 =A0 =A0 COMMUNITYDNS;descr: =A0 =A0 =A0 =
=A0 =A0 Internet
>> >>> Computer Bureau Ltd
>> >>
>> >> =A0 =A0 =A0 according to Filip, this is -NOT- supposed to be
>> >> =A0 =A0 =A0 anycast. =A0the only legal origin ASN is 4555.
>> >>
>> >> =A0 =A0 =A0 these other ASNs have hijacked the prefix.
>> >
>> > The source data above may be old, or simply wrong -- I don't see *any*=
AS originating that prefix right now, and I can confirm specifically AS201=
44 is not configured to originate it.
>>
>> This is based on last four year's data(2007-2010)collected from more
>> than 120 peers around the world. Today it may be not announced
>> anymore, but it used to be announced by the four ASNs simultaneously.
>> I just checked the detailed info about this prefix, here it is about
>> the prefix:
>> 198.32.64.0/24
>> (ASN: average peers announcing this prefix:existing period:total
>> appearing days: MOAS period: total appearing days)
>> 4555:4.94:20080318-20080506:50:20080318-20080506:50
>> 9584:3.07:20080402-20080513:42:20080402-20080513:42
>> 20144:79.44:20070101-20080501:487:20071215-20080501:138
>> 42909:26.39:20071215-20080515:152:20071215-20080513:150
>> >
>> MY source data
>> > Perhaps I'm misunderstanding the original question, but the assertion =
that anybody is hijacking that particular prefix seems false.
>> >
>> This needs to do further analysis to confirm if it was hijacked
>>
>> Yaoqing
>> >
>> > Joe
>
>
> =A0 =A0 =A0 =A0in that period, it was originated by these parties, most o=
f whom were authorized to
> =A0 =A0 =A0 =A0announce it. =A0at this time, only one ASN is authorized t=
o announce, and its not.
>
> =A0 =A0 =A0 =A0not sure how you expect to determine, with simple routing =
data, if the prefix was
> =A0 =A0 =A0 =A0hijacked. =A0you would need to see the letters of authoriz=
ation or contracts of service/carriage
> =A0 =A0 =A0 =A0to determine if an ASN was impropperly announcing.
>
> =A0 =A0 =A0 =A0for that matter, why do you care what occured years ago? =
=A0the Internet is an evolving, fluid media
> =A0 =A0 =A0 =A0and things change all the time. =A0if you want particulars=
on this prefix, i should have the
> =A0 =A0 =A0 =A0authoritative data, since I was the registered contact for=
both the prefix and the ASN in that
> =A0 =A0 =A0 =A0period and can pull the records. =A0Contact me offline for=
details on access.
I might not explain the background clearly and confused people. We're
doing research on multiple origin AS issue, and we want to confirm if
our inference is correct based on history data we collected. For
example, we found several hundreds of prefixes with multiple origins
more than two, some of them were inferred as anycast using our
methodology, but we're not positive with the conjecture, so we want to
find the ground truth from operators. Thanks for the detailed
explanations.
Thanks,
Yaoqing
>
> /bill
>
