Daniel, To answer your question from June 16th: no this is not exactly riswhois:
The Route Views team is developing an application to map the changes in Origin-AS of IP prefixes over time.
RISwhois doesn't keep history, only looks at the latest available RIB dumps, it cannot answer questions on changes in Origin-AS over time.
The changes in Origin-AS will be based on data from current RIR databases.
If I get this right, what Route Views intend to do is compare the origin AS data from prefixes seen in BGP feeds with what has been registered in the various routing registries ("RIR databases") and provide random access to the resulting data set.
I wanted to know if what they propose is not covered already by the RIS.
- I am sure we have the data this needs. - Do we have a UI that provides what they want? - Does RISWHOIS provide part of it? - can we make something like this quickly ourselves?
We could modify RISwhois to (when asked with a flag) query a Routing Registry and compare the BGP origin with the registered origin, but that still wouldn't provide history. The current RIS DB does have history and could at least answer the question if the BGP origin AS has changed in the time period covered by the DB. However, it does not have any info on the *registered* origin AS; also the 3 months usually covered by RIS DB might be a bit short when looking back in history. As I see it, to provide the desired functionality, we'd need a DB with tables for RIS and IRR storing for each prefix a time series of origin AS (prefix_id, originAS, first, last). For convenience, you could add a flag indicating whether or not the origin matched the IRR during the whole (first,last) time period. Things get a bit tricky when RIS reports multiple origins. One could either do "majority voting" (origin seen by most RIS peers wins) or list both (all) origins seperated by e.g. a / Also, the odd cases of origin being an AS-set (like 84.205.73.0/24, 84.205.89.0/24 :) can be handled in several ways. -- Rene
----- Forwarded message from Daniel Karrenberg <daniel.karrenberg@ripe.net> -----
From: Daniel Karrenberg <daniel.karrenberg@ripe.net> To: RIPE NCC RIS Project People <ris@ripe.net> Subject: [ris] [Brett_Watson@isc.org: Comments regarding a new tool from the Route Views team] Date: Thu, 16 Jun 2005 09:21:24 +0200 Cc: Mail-Followup-To: RIPE NCC RIS Project People <ris@ripe.net>
Isn't this riswhois or do we not already have that?
----- Forwarded message from brett watson <Brett_Watson@isc.org> -----
Date: Wed, 15 Jun 2005 14:45:48 -0700 From: brett watson <Brett_Watson@isc.org> To: all@oarc.isc.org Subject: Comments regarding a new tool from the Route Views team X-RIPE-Spam-Level: X-RIPE-Spam-Tests: BAYES_00 X-RIPE-Spam-Status: N 0.000000 / -2.6
We received a request from Dave Meyer (part of the U. of Oregon Route Views team) for feedback on a new tool they are building. For those that don't know, the Route Views team (www.routeviews.org) collects, logs, and provides real-time access to global routing data. We (the OARC Secretariat) wanted to float this to the general membership for any input you all might have regarding the current features of this tool, or enhancements you believe OARC members might find useful.
The Route Views team is developing an application to map the changes in Origin-AS of IP prefixes over time. The changes in Origin-AS will be based on data from current RIR databases. The Route Views team envisioned this as a useful tool for providers to use until some form of s*BGP is deployed, to help track down "hi-jacked" routes, and for spam mitigation. The data may be searched via:
- specific time/date - time/date range - frequency of changes (ie. last 10 origin-as changes for a specific prefix)
In addition, the Route Views team is considering using MRT to visualize the output. The team asked for input on the questions included below, and we would love to hear any member input/comments on these questions/answers before we respond to Dave. Feel free to send this to the all@ list for general discussion, or to me personally and I will tabulate everything and send back to the list one last time.
Questions from Route Views team ===========================
(i). Would you find this type of application useful, and for what purposes?
We envision a tool like this being useful for the DNS-OARC community in several areas:
DNS Anycast Experimentation - Visualizing the changes in Origin-AS during an anycast experiment where an anycast prefix is announced/ withdrawn over the course of several days, in order to better understand the impact of anycast on the DNS.
DSC Data Correlation - We have a recent example of how this kind of tool would be useful. Several months ago, F-root saw a large "spike" in queries that lasted for several days. After the spike subsided, we were able to identify the source IP address of the spike but no route existed in the global routing tables for the source IP. By manually downloading historical data from route-views, we ascertained that the source IP address was indeed announced by a different ISP than current whois data would indicate should be announcing it. The implications of having the ability to query for Origin-AS changes in near real-time are obvious in this case.
General DNS Data Correlation - Any statistics obtained about the DNS (such as RIPE's dnsmon) could be correlated with changes in Origin-AS to either validate or invalidate theories on DNS behavior.
(ii). What other features would you like to see?
The usefulness of comparing actual Origin-AS data with RIR database information is questionable, given the historical inaccuracies in RIR data but in some cases the RIR data may give us a useful baseline.
It seems that overall changes in the AS *path* may also be useful, in addition to just the Origin-AS.
(iii). How would you like to see the output visualized?
MRT seems like a fine method for visualizing the data. The BGPlay application is a great way to visualize data from the RIPE RIS and route-views data.
-b -- Brett Watson DNS Operations, Analysis, and Research Center
----- End forwarded message -----
----- End forwarded message -----