[168510] in North American Network Operators' Group
Re: BCP38.info
daemon@ATHENA.MIT.EDU (David Miller)
Tue Jan 28 14:47:03 2014
Date: Tue, 28 Jan 2014 14:46:39 -0500
From: David Miller <dmiller@tiggee.com>
To: Jared Mauch <jared@puck.nether.net>, Valdis.Kletnieks@vt.edu
In-Reply-To: <3D726033-682D-4743-8BC7-6E2A41FB3AF3@puck.nether.net>
Cc: NANOG <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--P86bvIMgaeiX2opP86v28RXHnQsBTj1bQ
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: quoted-printable
On 1/28/2014 2:16 PM, Jared Mauch wrote:
>=20
> On Jan 28, 2014, at 1:50 PM, Valdis.Kletnieks@vt.edu wrote:
>=20
>> On Tue, 28 Jan 2014 08:06:31 -0500, Jared Mauch said:
>>
>>> 52731 ASN7922
>>
>>> It includes IP address where you send a DNS packet to it and another =
IP address responds to the query, e.g.:
>>
>>> The data only includes those where the =93source-ASN=94 and =93dest-a=
sn=94 of these packets don=92t match.
>>
>> Hang on Jared, I'm trying to wrap my head around this. You're saying =
that
>> AS7922 has over 50K IP addresses which, if you send a DNS query to tha=
t IP,
>> you get an answer back from *an entirely different ASN*? How the heck =
does
>> *that* happen?
>=20
> Yup.
Jared,
What you detected is a misconfiguration of devices on those networks,
but that misconfiguration (in and of itself) is not necessarily what is
commonly referred to as "IP spoofing" in the context of BCP38.
You have *not* "shown" that these ASNs "allow IP spoofing". You have
collected one data point that indicates the mere possibility that these
ASNs allow IP spoofing.
In the example that you provided, you sent a DNS query to a Pacenet
(India) IP and received a response from a Vodafone (India) IP address.
The IP from which you received the invalid response is an open resolver
(bad thing). It is completely plausible that whatever device is being
queried has interfaces on both networks.
To have "shown" that this ASN "allows IP spoofing" you must have
demonstrated that this response packet, sourced from a Vodafone IP,
entered the "Internet" from a Pacenet router interface. Unless I am
missing something here, you haven't come close to showing that.
-DMM
--P86bvIMgaeiX2opP86v28RXHnQsBTj1bQ
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQEcBAEBAgAGBQJS6AkjAAoJEGUsrwgrL4kdKG4IANLa1RtCNZ4QFxi/l4z3Qhbn
e3Dn7mU6Xpnzqa2t716ZvF4MUCFA3z9HRtE/GvxULedb6tjb+2XhdChtT486HJeC
t0LmGo+eNmMbLFOAcGx51KQHndUVKdo5gcXKwmDBQteSe6DFNzPkZD0sH3sHxCIc
F/H7kg+jDukp76bWK3JQN5zDReMNCXmr3oDG6Sr+4z21xaxibsgXPPK650fCc5Qq
t8N99NeLjR8IK59RUcIapFS9N0mxEFIMwibROtE0Wr+ZiGb/8ucBpNrO0CiMi5hc
qj8Qou9Bmn+xdVbgK2xaHQLWvxLJmibmtOEt8IL4lcmmR4gaQVjxzRaiSoaqXYM=
=x+Sb
-----END PGP SIGNATURE-----
--P86bvIMgaeiX2opP86v28RXHnQsBTj1bQ--
