[179063] in North American Network Operators' Group
Re: More specifics from AS18978 [was: Prefix hijack by INDOSAT AS4795
daemon@ATHENA.MIT.EDU (ML)
Thu Mar 26 23:26:08 2015
X-Original-To: nanog@nanog.org
Date: Thu, 26 Mar 2015 23:26:07 -0400
From: ML <ml@kenweb.org>
To: nanog@nanog.org
In-Reply-To: <BN3PR11MB0145DE4F129D94AE428679D69B080@BN3PR11MB0145.namprd11.prod.outlook.com>
Errors-To: nanog-bounces@nanog.org
Wouldn't it be a BCP to set no-export from the Noction device too?
On 3/26/2015 6:20 PM, Nick Rose wrote:
> Several people asked me off list for more details, here is what I have regarding it.
>
> This morning a tier2 isp that connects to our network made an error in their router configuration causing the route leakage. The issue has been addressed and we will be performing a full post mortem to ensure this does not happen again.
> While investigating the issue we did find that the noction appliance stopped advertising the no export community string with its advertisements which is why certain prefixes were also seen.
>
> Regards,
> Nick Rose
> CTO @ Enzu Inc.
>
> -----Original Message-----
> From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Nick Rose
> Sent: Thursday, March 26, 2015 3:49 PM
> To: amps@djlab.com; Peter Rocca
> Cc: nanog@nanog.org
> Subject: RE: More specifics from AS18978 [was: Prefix hijack by INDOSAT AS4795 / AS4761]
>
> This should be resolved from AS18978. If you experience anything else please let me know and I will get it addressed immediately.
>
> Regards,
> Nick Rose
> CTO @ Enzu Inc.
>
> -----Original Message-----
> From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Randy
> Sent: Thursday, March 26, 2015 12:14 PM
> To: Peter Rocca
> Cc: nanog@nanog.org
> Subject: RE: More specifics from AS18978 [was: Prefix hijack by INDOSAT AS4795 / AS4761]
>
> On 03/26/2015 9:00 am, Peter Rocca wrote:
>> +1
>>
>> The summary below aligns with our analysis as well.
>>
>> We've reached out to AS18978 to determine the status of the leak but
>> at this time we're not seeing any operational impact.
> +2, after the morning coffee sunk in and helpful off list replies I can
> finally see it's probably not INDOSAT involved at all.
>
> FYI, the more specifics are still active:
>
> 2015-03-26 13:56:11 Update AS4795 ID 198.98.180.0/23 4795 4795 4761
> 9304 40633 18978 6939 29889 Active
> 2015-03-26 13:56:11 Update AS4795 ID 198.98.182.0/23 4795 4795 4761
> 9304 40633 18978 6939 29889 Active
>
> --
> ~Randy
