[177582] in North American Network Operators' Group
Re: look for BGP routes containing local AS#
daemon@ATHENA.MIT.EDU (joel jaeggli)
Wed Jan 28 03:23:54 2015
X-Original-To: nanog@nanog.org
Date: Wed, 28 Jan 2015 00:23:38 -0800
From: joel jaeggli <joelja@bogus.com>
To: Song Li <refresh.lsong@gmail.com>, nanog list <nanog@nanog.org>
In-Reply-To: <54C79682.9020802@gmail.com>
Errors-To: nanog-bounces@nanog.org
This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--uHFfWS24VdlKbHfogIuM60uvL1Cx4aG9f
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
On 1/27/15 5:45 AM, Song Li wrote:
> Hi everyone,
>=20
> Recently I studied the BGP AS path looping problem, and found that in
> most cases, the received BGP routes containing local AS# are suspicious=
=2E
> However, we checked our BGP routing table (AS23910,CERNET2) on juniper
> router(show route hidden terse aspath-regex .*23910.* ), and have not
> found such routes in Adj-RIB-In.
Updates with your AS in the path are discarded as part of loop
detection, e.g. they do not become candidate routes.
https://tools.ietf.org/html/rfc4271 page 77
If the AS_PATH attribute of a BGP route contains an AS loop, the BGP
route should be excluded from the Phase 2 decision function. AS loop
detection is done by scanning the full AS path (as specified in the
AS_PATH attribute), and checking that the autonomous system number of
the local system does not appear in the AS path. Operations of a BGP
speaker that is configured to accept routes with its own autonomous
system number in the AS path are outside the scope of this document.
in junos
neighbor { ipAddress | ipv6Address | peerGroupName } allowas-in number
where number is the number of instances of your AS in the path you're
willing to accept will correct that.
> We believe that the received BGP routes containing local AS# are relate=
d
> to BGP security problem.
You'll have to elaborate, since their existence is a basic principle in
the operation of bgp and they are ubiquitous.
Island instances of a distributed ASN communicate with each other by
allowing such routes in so that they can be evaluated one the basis of
prefix, specificity, AS path length and so forth.
> Hence, we want to look for some real cases in
> the wild. Could anybody give us some examples of such routes?
>=20
> Thanks!
>=20
> Best Regards!
>=20
--uHFfWS24VdlKbHfogIuM60uvL1Cx4aG9f
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: GPGTools - http://gpgtools.org
iEYEARECAAYFAlTInIsACgkQ8AA1q7Z/VrIXXwCcCv4cpp3DHaa3coBHWMRxm/ry
BusAn0kEYoY/byjSytnKLFDd6QOYMkYT
=tLG4
-----END PGP SIGNATURE-----
--uHFfWS24VdlKbHfogIuM60uvL1Cx4aG9f--
