[160285] in North American Network Operators' Group
Re: Announcing a reserved ASN?
daemon@ATHENA.MIT.EDU (Owen DeLong)
Sun Feb 3 14:44:17 2013
From: Owen DeLong <owen@delong.com>
In-Reply-To: <CAArzuovrwL-SnCCNkqYWHx_abyH9u-mZXcwE1yzT95sK5T7_3g@mail.gmail.com>
Date: Sun, 3 Feb 2013 11:40:11 -0800
To: Suresh Ramasubramanian <ops.lists@gmail.com>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
AS23456 is what you get if your system doesn't properly support 32-bit =
ASNs
and an AS-PATH (or peer) uses a 32-bit ASN.
There should be an extended attribute on the route that contains the =
full
32-bit AS-PATH called AS4_PATH associated with any such routes.
Arguably any route containing AS23456 without an AS4_PATH attribute is
invalid and could be filtered.
Unfortunately, routers that would display AS23456 instead of restoring =
the
full 32-bit AS_PATH may not be able to identify this.
A properly transmitted route from a 4-byte ASN will be recovered as =
follows:
91.217.86.0/23 *[BGP/170] 1w5d 09:11:37, MED 101, localpref 100
AS path: 8121 1299 3209 197269 I
> to 192.124.40.129 via ge-0/0/0.0
OTOH, you may occasionally see artifacts like this (I don't know why):
91.217.87.0/24 *[BGP/170] 1w5d 09:10:16, MED 101, localpref 100
AS path: 8121 1299 174 23456 197269 I
> to 192.124.40.129 via ge-0/0/0.0
But if you are seeing 23456 on an AS4 capable router without at least =
some
indication of a 4-byte ASN in the path, it's probably fishy.
On Feb 3, 2013, at 4:57 AM, Suresh Ramasubramanian <ops.lists@gmail.com> =
wrote:
> At least the 103.x which are announced by airtel. The other netblocks =
(one
> Indian and two brazilian) appear unrelated though also showing as23456
>=20
> --srs (htc one x)
> On 03-Feb-2013 6:12 PM, "Suresh Ramasubramanian"
> <ops.lists@gmail.com<javascript:_e({}, 'cvml',
> 'ops.lists@gmail.com');>>
> wrote:
>=20
>> AS23456 is currently announcing a good few netblocks (which don't =
have a
>> very good smtp reputation, by the way).
>>=20
>> Funny thing is, that's a special use ASN as per rfc4893, something =
about
>> two octet ASNs that don't have a four octet representation.
>>=20
>> Only one upstream (airtelbroadband-as-ap, as24560) that I can see
>>=20
>>>> 103.7.204.0/22
Missing AS4_PATH -- Probably a spoofed/hijacked route
>>>> 103.14.208.0/22
Missing AS4_PATH -- Probably a spoofed/hijacked route
>>>> 103.23.124.0/22
Missing AS4_PATH -- Probably a spoofed/hijacked route
>>>> 103.30.12.0/22
Missing AS4_PATH -- Probably a spoofed/hijacked route
>>>> 103.245.112.0/22
Missing AS4_PATH -- Probably a spoofed/hijacked route
>>>> 111.235.148.0/22
Missing AS4_PATH -- Probably a spoofed/hijacked route
>>>> 177.55.249.0/24
Missing AS4_PATH -- Probably a spoofed/hijacked route
>>>> 186.251.192.0/21
Missing AS4_PATH -- Probably a spoofed/hijacked route
If you're motivated to pursue this, the best thing to do is probably to =
contact the last legitimate AS before 23456 in the AS-PATH and inquire.
Owen
