[168511] in North American Network Operators' Group
Re: BCP38.info
daemon@ATHENA.MIT.EDU (Stephen Frost)
Tue Jan 28 14:55:46 2014
Date: Tue, 28 Jan 2014 14:56:15 -0500
From: Stephen Frost <sfrost@snowman.net>
To: David Miller <dmiller@tiggee.com>
In-Reply-To: <52E8091F.20401@tiggee.com>
Cc: NANOG <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
--RzoDHZBRv7fez6cK
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
David,
* David Miller (dmiller@tiggee.com) wrote:
> > On Jan 28, 2014, at 1:50 PM, Valdis.Kletnieks@vt.edu wrote:
> >> Hang on Jared, I'm trying to wrap my head around this. You're saying =
that
> >> AS7922 has over 50K IP addresses which, if you send a DNS query to tha=
t IP,
> >> you get an answer back from *an entirely different ASN*? How the heck =
does
> >> *that* happen?
> >=20
> > Yup.
>=20
> What you detected is a misconfiguration of devices on those networks,
> but that misconfiguration (in and of itself) is not necessarily what is
> commonly referred to as "IP spoofing" in the context of BCP38.
>=20
> You have *not* "shown" that these ASNs "allow IP spoofing". You have
> collected one data point that indicates the mere possibility that these
> ASNs allow IP spoofing.
Sounds like he's got about 50k such data points, in some cases.
> In the example that you provided, you sent a DNS query to a Pacenet
> (India) IP and received a response from a Vodafone (India) IP address.
> The IP from which you received the invalid response is an open resolver
> (bad thing). It is completely plausible that whatever device is being
> queried has interfaces on both networks.
If it was only one (and for those ASNs where it *is* only one, or even a
few, IPs) then I'd tend to agree with you, however...
> To have "shown" that this ASN "allows IP spoofing" you must have
> demonstrated that this response packet, sourced from a Vodafone IP,
> entered the "Internet" from a Pacenet router interface. Unless I am
> missing something here, you haven't come close to showing that.
We're talking about 50,000 distinct IPs which are doing this in some
cases. It strikes me as at least pretty unlikely that all 50,000
devices (or 25,000 or 10,000 or what-have-you, if you want to consider
that some devices might have multiple IPs) out there have multiple
interfaces which cross ASN boundaries. Sure sounds to me like
*someone* out there has some serious issues to deal with, and the rest
of us are paying the price of their inaction.
Thanks,
Stephen
--RzoDHZBRv7fez6cK
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQIcBAEBAgAGBQJS6AtfAAoJEO1sijiDR2RVJiUP/A8f4rarjeDlDsWi/LXQKE8s
bFQ4epwqPyjggek8uiQadMeQlg7qjVuIN2Q6htV7fr+2V3q3K8IWv9MHu52H6x+b
QWpi942RpGLxQ9dm5oon6HZoziQOs8dewzDZht9RZpZqjDvrvLShNYCr/ZpbpBmS
cdpDt1BmL6aTBFk798uRpindsHvJ2s4WksMJU34x54XLpufWjsomrs9InRLB/1jN
Ref48Z6xHQofjnunI57zHu2sAYmoPjfZr763xsjzJidlXPV6T+K9UqfbrInyFVG1
fTZdsCjh7HfTUsXJyqwR7scbyetXx8P+aIOrH0bQnUyjO5nuZf7qwMsHpTlJCv2/
zv0j8cHrHSqgz+1zOL5hhHZTRALnw4ErnfP2sEpnn8JYRcvjtqKTcBzLT9fpIamE
9rLl0KES3qg1I0UcMoSWEHVyaqCKjslTh1kZ60S8qCHur3KQ2RqUcV1mAeOit1pI
xl2jJHqgok767POorRIh3lyMKP7DACYIjXqkfAZC1DtO/CHPDFDMECiERDdNRsk/
oP0bU4nU/ZHcZU8lvY3pYtwOI45Dd+d+l0P5DbDMYZOhgxpdaKrAmn7ki7ZgSz9z
4y3YodoPa/LwmHWOCPDkkk+Nncqph5DY0y0jmT/mJnmBg5FpgoEFl4hC2tjB8fqx
EvIfJAz5kRF1lIuiRc+6
=2VFD
-----END PGP SIGNATURE-----
--RzoDHZBRv7fez6cK--
