[177599] in North American Network Operators' Group
Re: look for BGP routes containing local AS#
daemon@ATHENA.MIT.EDU (Patrick Tracanelli)
Wed Jan 28 13:12:08 2015
X-Original-To: nanog@nanog.org
From: Patrick Tracanelli <eksffa@freebsdbrasil.com.br>
In-Reply-To: <54C8ACB2.9080505@gmail.com>
Date: Wed, 28 Jan 2015 15:50:10 -0200
To: refresh.lsong@gmail.com
Cc: nanog list <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
> On 28/01/2015, at 07:32, Song Li <refresh.lsong@gmail.com> wrote:
>=20
> Hi Joel,
>=20
> It is right that the BGP route containing the local ASN will be =
droped. However, such routes can still be displayed on router. For =
example, you can run "show route hidden terse aspath-regex .*<local =
ASN>.*" on Juniper to check them. We are looking for those routes. If =
you can run the command on your Juniper and find such routes, could you =
please provider them for us?
>=20
Sorry, what do you need exactly? A sample? For education purposes are =
you looking for something specific?
You need it to be on Juniper router or other BGP software will do?
I have this scenario from Brazil-US, with specifics getting received =
both ways but it=E2=80=99s not Juniper.
> Thanks!
>=20
> Regards!
>=20
> Song
>=20
> =E5=9C=A8 2015/1/28 16:23, joel jaeggli =E5=86=99=E9=81=93:
>> On 1/27/15 5:45 AM, Song Li wrote:
>>> Hi everyone,
>>>=20
>>> Recently I studied the BGP AS path looping problem, and found that =
in
>>> most cases, the received BGP routes containing local AS# are =
suspicious.
>>> However, we checked our BGP routing table (AS23910,CERNET2) on =
juniper
>>> router(show route hidden terse aspath-regex .*23910.* ), and have =
not
>>> found such routes in Adj-RIB-In.
>>=20
>> Updates with your AS in the path are discarded as part of loop
>> detection, e.g. they do not become candidate routes.
>>=20
>> https://tools.ietf.org/html/rfc4271 page 77
>>=20
>> If the AS_PATH attribute of a BGP route contains an AS loop, the BGP
>> route should be excluded from the Phase 2 decision function. AS =
loop
>> detection is done by scanning the full AS path (as specified in the
>> AS_PATH attribute), and checking that the autonomous system number =
of
>> the local system does not appear in the AS path. Operations of a =
BGP
>> speaker that is configured to accept routes with its own autonomous
>> system number in the AS path are outside the scope of this document.
>>=20
>> in junos
>>=20
>> neighbor { ipAddress | ipv6Address | peerGroupName } allowas-in =
number
>>=20
>> where number is the number of instances of your AS in the path you're
>> willing to accept will correct that.
>>=20
>>> We believe that the received BGP routes containing local AS# are =
related
>>> to BGP security problem.
>>=20
>> You'll have to elaborate, since their existence is a basic principle =
in
>> the operation of bgp and they are ubiquitous.
>>=20
>> Island instances of a distributed ASN communicate with each other by
>> allowing such routes in so that they can be evaluated one the basis =
of
>> prefix, specificity, AS path length and so forth.
>>=20
>>> Hence, we want to look for some real cases in
>>> the wild. Could anybody give us some examples of such routes?
>>>=20
>>> Thanks!
>>>=20
>>> Best Regards!
>>>=20
>>=20
>>=20
>=20
>=20
> --=20
> Song Li
> Room 4-204, FIT Building,
> Network Security,
> Department of Electronic Engineering,
> Tsinghua University, Beijing 100084, China
> Tel:( +86) 010-62446440
> E-mail: refresh.lsong@gmail.com
--
Patrick Tracanelli
FreeBSD Brasil LTDA.
Tel.: (31) 3516-0800
316601@sip.freebsdbrasil.com.br
http://www.freebsdbrasil.com.br
"Long live Hanin Elias, Kim Deal!"
