Dear fellow network operators, In July 2016, NTT Communications' Global IP Network AS2914 will deploy a new routing policy to block Bogon ASNs from its view of the default-free zone. This notification is provided as a courtesy to the network community at large. After the Bogon ASN filter policy has been deployed, AS 2914 will not accept route announcements from any eBGP neighbor which contains a Bogon ASN anywhere in the AS_PATH or its atomic aggregate attribute. The reasoning behind this policy is twofold: - Private or Reserved ASNs have no place in the public DFZ. Barring these from the DFZ helps improve accountability and dampen accidental exposure of internal routing artifacts. - All AS2914 devices support 4-byte ASNs. Any occurrence of "23456" in the DFZ is a either a misconfiguration or software issue. We are undertaking this effort to improve the quality of routing data as part of the global ecosystem. This should improve the security posture and provide additional certainty [1] to those undertaking network troubleshooting. Bogon ASNs are currently defined as following: 0 # Reserved RFC7607 23456 # AS_TRANS RFC6793 64496-64511 # Reserved for use in docs and code RFC5398 64512-65534 # Reserved for Private Use RFC6996 65535 # Reserved RFC7300 65536-65551 # Reserved for use in docs and code RFC5398 65552-131071 # Reserved 4200000000-4294967294 # Reserved for Private Use RFC6996 4294967295 # Reserved RFC7300 A current overview of what are considered Bogon ASNs is maintained at NTT's Routing Policies page [2]. The IANA Autonomous System Number Registry [3] is closely tracked and the NTT Bogon ASN definitions are updated accordingly. We encourage network operators to consider deploying similar policies. Configuration examples for various platforms can be found here [4]. NTT staff is monitoring current occurrences of Bogon ASNs in the routing system and reaching out to impacted parties on a weekly basis. Kind regards, Job Contact persons: Job Snijders <job@ntt.net>, Jared Mauch <jmauch@us.ntt.net>, NTT Communications NOC <noc@ntt.net> References: [1]: https://tools.ietf.org/html/draft-thomson-postel-was-wrong-00 [2]: http://www.us.ntt.net/support/policy/routing.cfm#bogon [3]: https://www.iana.org/assignments/as-numbers/as-numbers.xhtml [4]: http://as2914.net/bogon_asns/configuration_examples.txt
On 02/06/2016 22:43, Job Snijders wrote:
Dear fellow network operators,
In July 2016, NTT Communications' Global IP Network AS2914 will deploy a new routing policy to block Bogon ASNs from its view of the default-free zone. This notification is provided as a courtesy to the network community at large.
After the Bogon ASN filter policy has been deployed, AS 2914 will not accept route announcements from any eBGP neighbor which contains a Bogon ASN anywhere in the AS_PATH or its atomic aggregate attribute.
The reasoning behind this policy is twofold:
- Private or Reserved ASNs have no place in the public DFZ. Barring these from the DFZ helps improve accountability and dampen accidental exposure of internal routing artifacts.
- All AS2914 devices support 4-byte ASNs. Any occurrence of "23456" in the DFZ is a either a misconfiguration or software issue.
We are undertaking this effort to improve the quality of routing data as part of the global ecosystem. This should improve the security posture and provide additional certainty [1] to those undertaking network troubleshooting.
Bogon ASNs are currently defined as following:
0 # Reserved RFC7607 23456 # AS_TRANS RFC6793 64496-64511 # Reserved for use in docs and code RFC5398 64512-65534 # Reserved for Private Use RFC6996 65535 # Reserved RFC7300 65536-65551 # Reserved for use in docs and code RFC5398 65552-131071 # Reserved 4200000000-4294967294 # Reserved for Private Use RFC6996 4294967295 # Reserved RFC7300
A current overview of what are considered Bogon ASNs is maintained at NTT's Routing Policies page [2]. The IANA Autonomous System Number Registry [3] is closely tracked and the NTT Bogon ASN definitions are updated accordingly.
We encourage network operators to consider deploying similar policies. Configuration examples for various platforms can be found here [4].
NTT staff is monitoring current occurrences of Bogon ASNs in the routing system and reaching out to impacted parties on a weekly basis.
Kind regards,
Job
Contact persons:
Job Snijders <job@ntt.net>, Jared Mauch <jmauch@us.ntt.net>, NTT Communications NOC <noc@ntt.net>
References: [1]: https://tools.ietf.org/html/draft-thomson-postel-was-wrong-00 [2]: http://www.us.ntt.net/support/policy/routing.cfm#bogon [3]: https://www.iana.org/assignments/as-numbers/as-numbers.xhtml [4]: http://as2914.net/bogon_asns/configuration_examples.txt
You guys are my heroes! If 4-5 tier-0 ISPs would do exactly this, bogus ASNs would disappear in a week. Instead everyone talks while the problem gets larger (now over 5000): http://www.cidr-report.org/as2.0/bogus-as-advertisements.html -Hank
Dear Hank, On Fri, Jun 03, 2016 at 07:53:50AM +0300, Hank Nussbacher wrote:
On 02/06/2016 22:43, Job Snijders wrote:
Bogon ASNs are currently defined as following:
0 # Reserved RFC7607 23456 # AS_TRANS RFC6793 64496-64511 # Reserved for use in docs and code RFC5398 64512-65534 # Reserved for Private Use RFC6996 65535 # Reserved RFC7300 65536-65551 # Reserved for use in docs and code RFC5398 65552-131071 # Reserved 4200000000-4294967294 # Reserved for Private Use RFC6996 4294967295 # Reserved RFC7300
References: [3]: https://www.iana.org/assignments/as-numbers/as-numbers.xhtml [4]: http://as2914.net/bogon_asns/configuration_examples.txt
You guys are my heroes! If 4-5 tier-0 ISPs would do exactly this, bogus ASNs would disappear in a week.
GTT also committed to deploying the same filter: http://mailman.nanog.org/pipermail/nanog/2016-June/086081.html
Instead everyone talks while > the problem gets larger (now over 5000): http://www.cidr-report.org/as2.0/bogus-as-advertisements.html
I'd like to clear up some potential for confusion: we only targetting what has been defined in the list at the top of this email, not what are considered "unallocated" ASNs. (Although we do monitor for that and resolve any adjacencies we might have with such ASNs). Below is a copy+paste from the weekly report which drives our outreach effort. We recognise two types of prefixes: "Problem prefixes" and "problems resolved by a less specific". It seems likely that the "saved by overlapping less-specific" ones are the result of accidental exposure of something that should remain internal, and the "problem prefixes" are likely to be misconfigurations or software issues. Hopefully, by the time we deploy the new policy, all of these have been resolved. If not, we're probbly looking at the low hundreds, not 5000. Kind regards, Job ---------- report below ----------- Subject: Weekly report: ASN Bogon Filter impact - 2016.06.02 Dear reader, This is an automated report to provide insight into the effects of the new Bogon ASN as-path filters NTT will deploy in July 2016. This script parses a full table RIB dump as seen from a customer perspective (kiera.meerval.net in Amsterdam) and searches which prefixes would be dropped without causing too much concern, and which prefixes will fall off the routing table. Bogon ASNs are defined as: 0, 23456, 64496-131071, 4200000000-4294967295 Problem prefixes: (140 issues) ----------------------------- 172.86.191.0/24 (path: 2914 174 32489 65535 ) 143.0.108.0/22 (path: 2914 174 18747 64339 ) 185.5.141.0/24 (path: 2914 174 5563 65300 5563 ) 104.254.94.0/24 (path: 2914 174 32489 65535 ) 185.52.40.0/22 (path: 2914 174 2116 64329 ) 185.121.40.0/22 (path: 2914 174 35369 65369 4200000001 ) 195.88.106.0/23 (path: 2914 174 2116 64329 ) 23.111.250.0/24 (path: 2914 174 15003 15003 15003 15003 15003 15003 15003 64666 ) 2a07:7ec7:3c00::/38 (path: 2914 174 20473 65534 64515 64539 ) 2a07:7ec6:2c00::/38 (path: 2914 174 20473 65534 64515 64539 ) 2a07:7ec6:7800::/38 (path: 2914 174 20473 65534 64515 64539 ) 2a07:7ec4:4000::/38 (path: 2914 174 20473 65534 64515 64539 ) 2a07:7ec4:f800::/38 (path: 2914 174 20473 65534 64515 64539 ) 108.57.142.0/23 (path: 2914 701 64512 ) 108.57.144.0/21 (path: 2914 701 64512 ) 108.57.152.0/21 (path: 2914 701 64512 ) 46.229.74.0/23 (path: 2914 1273 12389 25549 65526 ) 122.15.0.0/16 (path: 2914 1273 55410 26685 55917 65001 65002 65003 134007 134041 134304 ) 112.133.192.0/18 (path: 2914 1273 55410 24186 45851 59194 64608 ) 182.19.80.0/21 (path: 2914 1273 55410 58906 65001 ) 176.103.176.0/20 (path: 2914 1299 24589 23456 ) 176.103.192.0/21 (path: 2914 1299 24589 23456 ) 2a00:75e0::/32 (path: 2914 1299 2116 64329 ) 208.78.104.0/21 (path: 2914 2828 13703 22626 64512 ) 103.197.240.0/22 (path: 2914 3257 9498 9730 23456 ) 103.199.88.0/22 (path: 2914 3257 9498 9730 23456 ) 137.59.8.0/22 (path: 2914 3257 9498 9730 23456 ) 103.225.224.0/22 (path: 2914 3257 9498 9730 23456 ) 111.235.148.0/22 (path: 2914 3257 9498 9730 23456 ) 80.90.160.0/20 (path: 2914 3257 48832 48832 48832 48832 48832 48832 48832 48832 48832 48832 65545 ) 188.247.64.0/19 (path: 2914 3257 48832 48832 48832 48832 48832 48832 48832 48832 48832 48832 65545 ) 192.96.139.0/24 (path: 2914 3356 11845 65610 ) 186.226.16.0/20 (path: 2914 3356 3549 16594 23456 262763 ) 91.233.214.0/23 (path: 2914 3356 24589 23456 ) 194.169.32.0/20 (path: 2914 4589 8190 4200000246 ) 2001:df0:458::/48 (path: 2914 4755 18229 64701 65502 65309 ) 103.57.64.0/22 (path: 2914 4755 133987 65350 ) 162.247.245.0/24 (path: 2914 6327 55117 64512 ) 103.12.168.0/24 (path: 2914 6453 6453 4755 132329 132329 132329 132329 23456 23456 23456 ) 185.103.109.0/24 (path: 2914 6461 43350 23456 ) 31.220.112.0/21 (path: 2914 6663 31317 65528 ) 190.13.94.0/24 (path: 2914 6762 7303 262195 23456 52351 ) 200.59.127.0/24 (path: 2914 6762 7303 262195 23456 262195 262195 10617 ) 200.59.120.0/24 (path: 2914 6762 7303 262195 23456 262195 262195 10617 ) 200.59.121.0/24 (path: 2914 6762 7303 262195 23456 262195 262195 10617 ) 200.0.209.0/24 (path: 2914 6762 7303 262195 23456 7005 7005 7005 ) 200.0.210.0/24 (path: 2914 6762 7303 262195 23456 7005 7005 7005 ) 200.0.211.0/24 (path: 2914 6762 7303 262195 23456 7005 7005 7005 ) 2a07:33c0::/29 (path: 2914 6830 12676 54431 65100 ) 192.108.127.0/24 (path: 2914 7029 393543 65001 ) 70.40.139.0/24 (path: 2914 7029 19397 64712 ) 93.95.176.0/24 (path: 2914 8928 15924 65411 ) 79.170.168.0/24 (path: 2914 8928 15924 65411 ) 213.252.251.0/24 (path: 2914 9002 9002 9002 9002 9002 42979 201201 199527 65529 199527 199527 ) 2a03:7380:4000::/42 (path: 2914 9002 13188 64604 ) 2a03:7380:4040::/42 (path: 2914 9002 13188 64604 ) 91.102.64.0/21 (path: 2914 9009 9009 9009 65433 ) 185.91.236.0/23 (path: 2914 9009 9009 9009 65052 ) 93.113.208.0/22 (path: 2914 9009 6910 65002 ) 103.16.229.0/24 (path: 2914 9304 133398 64513 ) 103.195.54.0/24 (path: 2914 9498 58601 24323 65005 64058 ) 103.195.55.0/24 (path: 2914 9498 58601 24323 65005 64058 ) 2400:5200:1400::/40 (path: 2914 9498 55410 38266 65001 65010 ) 188.65.30.0/24 (path: 2914 9498 8529 8529 8529 8529 8529 8529 8529 8529 28885 65535 15679 15679 ) 188.65.31.0/24 (path: 2914 9498 8529 8529 8529 8529 8529 8529 8529 8529 28885 65535 15679 15679 ) 188.65.26.0/24 (path: 2914 9498 8529 8529 8529 8529 8529 8529 8529 8529 28885 65535 15679 15679 15679 15679 15679 15679 15679 ) 188.65.27.0/24 (path: 2914 9498 8529 8529 8529 8529 8529 8529 8529 8529 28885 65535 15679 15679 15679 15679 15679 15679 15679 ) 188.65.24.0/24 (path: 2914 9498 8529 8529 8529 8529 8529 8529 8529 8529 28885 65535 15679 15679 ) 188.65.25.0/24 (path: 2914 9498 8529 8529 8529 8529 8529 8529 8529 8529 28885 65535 15679 15679 ) 210.24.208.0/24 (path: 2914 10026 4628 9255 65010 ) 210.24.209.0/24 (path: 2914 10026 4628 9255 65010 ) 210.24.216.0/24 (path: 2914 10026 4628 9255 65010 ) 210.24.218.0/24 (path: 2914 10026 4628 9255 65010 ) 210.24.219.0/24 (path: 2914 10026 4628 9255 65010 ) 210.24.212.0/24 (path: 2914 10026 4628 9255 65010 ) 210.24.214.0/24 (path: 2914 10026 4628 9255 65010 ) 210.24.210.0/24 (path: 2914 10026 4628 9255 65010 ) 142.148.224.0/24 (path: 2914 12179 14630 64512 ) 142.148.225.0/24 (path: 2914 12179 14630 64512 ) 46.151.104.0/21 (path: 2914 12389 21453 49893 50802 65001 ) 5.143.176.0/20 (path: 2914 12389 15468 65001 ) 195.135.240.0/22 (path: 2914 12389 21453 49893 50802 65001 ) 192.150.214.0/23 (path: 2914 13768 65013 ) 208.86.242.0/24 (path: 2914 14265 46926 65001 46926 46926 46926 46926 46926 46926 ) 192.16.2.0/24 (path: 2914 15133 65405 ) 192.16.3.0/24 (path: 2914 15133 65405 ) 178.173.158.0/24 (path: 2914 15412 12880 31549 65533 1756 ) 178.173.159.0/24 (path: 2914 15412 12880 31549 65533 1756 ) 178.173.156.0/24 (path: 2914 15412 12880 31549 65533 1756 ) 178.173.157.0/24 (path: 2914 15412 12880 31549 65533 1756 ) 178.173.154.0/24 (path: 2914 15412 12880 31549 65533 1756 ) 178.173.155.0/24 (path: 2914 15412 12880 31549 65533 1756 ) 178.173.152.0/24 (path: 2914 15412 12880 31549 65533 1756 ) 178.173.153.0/24 (path: 2914 15412 12880 31549 65533 1756 ) 178.173.147.0/24 (path: 2914 15412 12880 31549 65533 1756 ) 178.173.148.0/24 (path: 2914 15412 12880 31549 65533 1756 ) 178.173.128.0/24 (path: 2914 15412 12880 31549 65533 1756 ) 178.173.142.0/24 (path: 2914 15412 12880 31549 65533 1756 ) 178.173.143.0/24 (path: 2914 15412 12880 31549 65533 1756 ) 178.173.140.0/24 (path: 2914 15412 12880 31549 65533 1756 ) 178.173.141.0/24 (path: 2914 15412 12880 31549 65533 1756 ) 178.173.217.0/24 (path: 2914 15412 12880 31549 65533 1756 ) 178.173.222.0/24 (path: 2914 15412 12880 31549 65533 1756 ) 178.173.223.0/24 (path: 2914 15412 12880 31549 65533 1756 ) 178.173.220.0/24 (path: 2914 15412 12880 31549 65533 1756 ) 178.173.221.0/24 (path: 2914 15412 12880 31549 65533 1756 ) 178.173.206.0/24 (path: 2914 15412 12880 31549 65533 1756 ) 178.173.204.0/24 (path: 2914 15412 12880 31549 65533 1756 ) 178.173.205.0/24 (path: 2914 15412 12880 31549 65533 1756 ) 178.173.190.0/24 (path: 2914 15412 12880 31549 65533 1756 ) 178.173.180.0/24 (path: 2914 15412 12880 31549 65533 1756 ) 178.173.181.0/24 (path: 2914 15412 12880 31549 65533 1756 ) 178.173.168.0/24 (path: 2914 15412 12880 31549 65533 1756 ) 178.173.169.0/24 (path: 2914 15412 12880 31549 65533 1756 ) 194.69.42.0/24 (path: 2914 15830 65501 21160 21160 ) 91.208.64.0/24 (path: 2914 20485 198816 65005 47593 ) 199.7.166.0/24 (path: 2914 22626 64512 ) 199.7.167.0/24 (path: 2914 22626 64512 ) 208.83.6.0/23 (path: 2914 22626 64512 ) 2620:be:8000::/48 (path: 2914 22773 64514 ) 2602:ff61::/48 (path: 2914 22773 65005 ) 130.0.231.0/24 (path: 2914 23352 39470 18919 65156 ) 143.41.0.0/21 (path: 2914 25180 4200000368 ) 143.41.8.0/21 (path: 2914 25180 4200000501 ) 185.129.208.0/24 (path: 2914 25180 4200000382 ) 185.129.209.0/24 (path: 2914 25180 4200000382 ) 139.143.0.0/16 (path: 2914 25180 4200000318 ) 185.52.36.0/22 (path: 2914 25180 4200000090 ) 195.95.131.0/24 (path: 2914 25180 4200000365 ) 176.122.192.0/23 (path: 2914 25180 4200000402 ) 82.139.64.0/18 (path: 2914 41887 41887 65031 ) 185.117.10.0/24 (path: 2914 44217 65500 ) 185.117.8.0/24 (path: 2914 44217 65500 ) 185.117.9.0/24 (path: 2914 44217 65500 ) 185.117.11.0/24 (path: 2914 44217 65500 ) 91.234.228.0/24 (path: 2914 47872 20771 16010 65009 198874 ) 119.235.130.0/24 (path: 2914 63928 24427 64928 ) 119.235.131.0/24 (path: 2914 63928 24427 64928 ) 119.235.128.0/24 (path: 2914 63928 24427 64928 ) 119.235.129.0/24 (path: 2914 63928 24427 64928 ) resolved by virtue of existing overlapping prefix: -------------------------------------------------- 109.161.0.0/17 (path: 2914 12389 13118 13118 ) contains: 109.161.56.0/24 (path: 2914 12389 13118 13118 65001 ) 109.225.0.0/18 (path: 2914 12389 44237 15468 ) contains: 109.225.32.0/20 (path: 2914 12389 15468 65001 ) 109.225.48.0/20 (path: 2914 12389 15468 65001 ) 109.225.0.0/20 (path: 2914 12389 15468 65001 ) 109.225.16.0/20 (path: 2914 12389 15468 65001 ) 115.127.0.0/18 (path: 2914 132602 132602 132602 132602 132602 58656 24342 ) contains: 115.127.41.0/24 (path: 2914 9498 58655 9230 65534 24342 ) 116.50.64.0/18 (path: 2914 3257 9498 38529 ) contains: 116.50.78.0/23 (path: 2914 9498 38529 64520 ) 116.50.80.0/24 (path: 2914 9498 38529 64520 ) 116.50.90.0/24 (path: 2914 4755 38529 64520 ) 116.50.85.0/24 (path: 2914 9498 38529 64520 ) 123.30.64.0/20 (path: 2914 58453 45899 7643 ) contains: 123.30.74.0/24 (path: 2914 58453 45899 45899 65512 ) 123.30.75.0/24 (path: 2914 58453 45899 45899 65512 ) 124.92.0.0/14 (path: 2914 4837 4837 ) contains: 124.93.212.0/23 (path: 2914 4837 65501 ) 124.93.214.0/23 (path: 2914 4837 65501 ) 135.84.176.0/22 (path: 2914 13768 54527 ) contains: 135.84.177.0/24 (path: 2914 6327 54527 63213 65002 ) 152.176.0.0/12 (path: 2914 701 ) contains: 152.178.135.0/24 (path: 2914 701 64512 ) 154.72.52.0/23 (path: 2914 174 327797 ) contains: 154.72.52.0/24 (path: 2914 174 327797 65502 ) 157.254.228.0/22 (path: 2914 174 7332 11648 ) contains: 157.254.229.0/24 (path: 2914 4755 65805 ) 167.219.60.0/23 (path: 2914 703 30337 30337 30337 30337 30337 30337 30337 30337 30337 30337 30337 ) contains: 167.219.60.0/24 (path: 2914 4755 30337 65001 ) 173.231.64.0/19 (path: 2914 174 26801 19159 ) contains: 173.231.76.0/24 (path: 2914 174 26801 19159 19159 64573 ) 174.35.0.0/17 (path: 2914 3257 36408 ) contains: 174.35.0.0/24 (path: 2914 14265 65204 ) 178.60.192.0/18 (path: 2914 174 12334 ) contains: 178.60.197.0/24 (path: 2914 174 12334 199949 64555 ) 185.66.84.0/22 (path: 2914 9002 9049 201706 ) contains: 185.66.86.0/24 (path: 2914 9002 9049 201706 65555 ) 188.247.64.0/19 (path: 2914 3257 48832 48832 48832 48832 48832 48832 48832 48832 48832 48832 65545 ) contains: 188.247.72.0/21 (path: 2914 3257 48832 48832 48832 48832 48832 48832 48832 48832 48832 48832 65545 ) 188.65.28.0/23 (path: 2914 9498 8529 8529 8529 8529 8529 8529 8529 8529 28885 ) contains: 188.65.28.0/24 (path: 2914 9498 8529 8529 8529 8529 8529 8529 8529 8529 28885 65535 15679 15679 ) 188.65.29.0/24 (path: 2914 9498 8529 8529 8529 8529 8529 8529 8529 8529 28885 65535 15679 15679 ) 190.131.192.0/18 (path: 2914 23520 ) contains: 190.131.193.0/24 (path: 2914 23520 262191 65499 ) 190.131.198.0/24 (path: 2914 23520 262191 65475 ) 190.68.128.0/19 (path: 2914 12956 3816 ) contains: 190.68.130.0/24 (path: 2914 12956 3816 3816 3816 3816 3816 65329 3816 ) 194.204.192.0/18 (path: 2914 12956 6713 ) contains: 194.204.217.0/24 (path: 2914 174 6713 6713 6713 6713 6713 6713 6713 36956 65375 ) 194.70.0.0/16 (path: 2914 1273 2529 ) contains: 194.70.246.0/24 (path: 2914 1273 65539 ) 195.135.240.0/22 (path: 2914 12389 21453 49893 50802 65001 ) contains: 195.135.240.0/23 (path: 2914 12389 21453 49893 50802 65001 ) 195.135.242.0/23 (path: 2914 12389 21453 49893 50802 65001 ) 195.46.128.0/19 (path: 2914 8928 15924 ) contains: 195.46.147.0/24 (path: 2914 8928 15924 65121 ) 195.87.0.0/16 (path: 2914 8928 15924 8386 ) contains: 195.87.13.0/24 (path: 2914 8928 15924 8386 65412 ) 195.87.42.0/24 (path: 2914 8928 15924 64512 ) 199.204.224.0/22 (path: 2914 3356 4323 40059 ) contains: 199.204.224.0/24 (path: 2914 2828 6181 40059 65433 ) 199.45.32.0/19 (path: 2914 701 ) contains: 199.45.53.0/24 (path: 2914 701 65403 ) 199.45.54.0/24 (path: 2914 701 65403 ) 200.149.0.0/16 (path: 2914 286 7738 ) contains: 200.149.212.0/24 (path: 2914 12956 7738 65017 ) 2001:578::/30 (path: 2914 22773 ) contains: 2001:57a:eff1::/48 (path: 2914 22773 64517 ) 204.76.144.0/21 (path: 2914 2828 6128 63254 ) contains: 204.76.148.0/22 (path: 2914 174 46887 63254 64512 ) 205.177.0.0/16 (path: 2914 3491 ) contains: 205.177.67.0/24 (path: 2914 3491 65536 ) 205.177.68.0/24 (path: 2914 3491 65536 ) 206.154.0.0/19 (path: 2914 209 17402 ) contains: 206.154.0.0/20 (path: 2914 209 4200000006 ) 207.245.64.0/18 (path: 2914 3491 6372 ) contains: 207.245.119.0/24 (path: 2914 2828 6372 65006 ) 207.250.0.0/16 (path: 2914 3356 4323 ) contains: 207.250.99.0/24 (path: 2914 17054 13492 64600 ) 208.78.104.0/21 (path: 2914 2828 13703 22626 64512 ) contains: 208.78.111.0/24 (path: 2914 22626 64512 ) 208.97.0.0/19 (path: 2914 174 31877 ) contains: 208.97.12.0/22 (path: 2914 40111 40111 65003 ) 208.97.19.0/24 (path: 2914 174 31877 65004 ) 212.106.32.0/19 (path: 2914 12389 44237 15468 ) contains: 212.106.48.0/21 (path: 2914 12389 15468 65001 ) 212.106.56.0/21 (path: 2914 12389 15468 65001 ) 212.106.32.0/21 (path: 2914 12389 15468 65001 ) 212.106.40.0/21 (path: 2914 12389 15468 65001 ) 212.139.0.0/16 (path: 2914 13285 13285 13285 13285 13285 13285 13285 9105 ) contains: 212.139.133.0/24 (path: 2914 6453 13285 65160 ) 212.15.0.0/19 (path: 2914 8928 15924 ) contains: 212.15.5.0/24 (path: 2914 8928 15924 65077 ) 212.154.128.0/17 (path: 2914 12389 9198 50482 ) contains: 212.154.167.0/24 (path: 2914 12389 9198 50482 64605 ) 212.154.205.0/24 (path: 2914 12389 9198 50482 64605 ) 212.19.128.0/19 (path: 2914 12389 9198 50482 ) contains: 212.19.130.0/24 (path: 2914 12389 9198 50482 64804 ) 212.26.224.0/19 (path: 2914 12389 12730 ) contains: 212.26.238.0/24 (path: 2914 12389 12730 65001 ) 213.131.64.0/19 (path: 2914 6762 24863 ) contains: 213.131.92.0/22 (path: 2914 15412 24863 37069 64639 ) 213.160.128.0/19 (path: 2914 702 3252 12963 ) contains: 213.160.148.0/24 (path: 2914 702 3252 12963 64564 ) 213.52.192.0/18 (path: 2914 15830 ) contains: 213.52.252.0/22 (path: 2914 15830 65501 39882 ) 217.15.128.0/19 (path: 2914 12389 44237 13118 ) contains: 217.15.137.0/24 (path: 2914 12389 13118 13118 65001 ) 217.15.149.0/24 (path: 2914 12389 13118 13118 65001 ) 217.15.156.0/23 (path: 2914 12389 13118 13118 65001 ) 217.20.32.0/20 (path: 2914 15830 ) contains: 217.20.41.0/24 (path: 2914 15830 65501 39882 ) 221.200.0.0/14 (path: 2914 4837 4837 ) contains: 221.203.248.0/22 (path: 2914 4837 64920 ) 221.203.252.0/22 (path: 2914 4837 64920 ) 221.203.244.0/23 (path: 2914 4837 64920 ) 221.203.246.0/23 (path: 2914 4837 64920 ) 27.248.0.0/14 (path: 2914 9498 10201 10201 10201 10201 10201 10201 ) contains: 27.248.64.0/18 (path: 2914 9498 10201 65500 ) 27.248.128.0/19 (path: 2914 9498 10201 65500 ) 27.248.96.0/19 (path: 2914 9498 10201 65500 ) 31.172.192.0/19 (path: 2914 12389 44237 15468 ) contains: 31.172.192.0/20 (path: 2914 12389 15468 65001 ) 31.172.192.0/21 (path: 2914 12389 15468 65001 ) 31.172.208.0/21 (path: 2914 12389 15468 65001 ) 31.172.216.0/21 (path: 2914 12389 15468 65001 ) 31.172.200.0/21 (path: 2914 12389 15468 65001 ) 37.1.240.0/20 (path: 2914 6461 8218 48072 ) contains: 37.1.241.0/24 (path: 2914 1299 29075 48072 31167 65623 ) 37.1.250.0/23 (path: 2914 6461 8218 48072 48072 65623 31167 ) 37.142.0.0/16 (path: 2914 174 12849 ) contains: 37.142.0.0/17 (path: 2914 174 12849 12849 21450 65024 65500 ) 37.235.32.0/21 (path: 2914 8928 12715 43160 ) contains: 37.235.36.0/24 (path: 2914 174 43160 65501 ) 37.26.104.0/21 (path: 2914 39326 52148 ) contains: 37.26.105.0/24 (path: 2914 34555 64522 ) 38.0.0.0/8 (path: 2914 174 ) contains: 38.88.85.0/24 (path: 2914 174 393544 64532 ) 41.223.84.0/22 (path: 2914 3356 37273 37075 ) contains: 41.223.85.0/24 (path: 2914 9498 36926 65001 ) 41.89.0.0/16 (path: 2914 30844 36914 ) contains: 41.89.7.0/24 (path: 2914 6762 37219 36866 36866 36866 65412 ) 46.151.104.0/21 (path: 2914 12389 21453 49893 50802 65001 ) contains: 46.151.104.0/22 (path: 2914 12389 21453 49893 50802 65001 ) 46.151.108.0/22 (path: 2914 12389 21453 49893 50802 65001 ) 46.237.0.0/18 (path: 2914 12389 13118 13118 ) contains: 46.237.32.0/20 (path: 2914 12389 13118 13118 65001 ) 60.16.0.0/13 (path: 2914 4837 4837 ) contains: 60.23.240.0/21 (path: 2914 4837 64920 ) 60.23.248.0/21 (path: 2914 4837 64920 ) 60.23.248.0/24 (path: 2914 4837 65501 ) 60.23.249.0/24 (path: 2914 4837 65501 ) 60.23.246.0/24 (path: 2914 4837 65501 ) 60.23.247.0/24 (path: 2914 4837 65501 ) 64.251.48.0/20 (path: 2914 209 22742 22742 22742 ) contains: 64.251.56.0/24 (path: 2914 174 22742 22742 22742 22742 22742 65150 ) 64.27.240.0/20 (path: 2914 209 16931 ) contains: 64.27.253.0/24 (path: 2914 1273 65538 ) 64.72.224.0/19 (path: 2914 6327 6407 6407 ) contains: 64.72.224.0/24 (path: 2914 812 812 812 4264800033 ) 64.72.226.0/24 (path: 2914 812 812 812 4264800033 ) 64.72.227.0/24 (path: 2914 812 812 812 4264800033 ) 64.83.64.0/20 (path: 2914 7029 ) contains: 64.83.78.0/24 (path: 2914 7029 1785 65233 ) 66.110.192.0/19 (path: 2914 174 31877 ) contains: 66.110.220.0/24 (path: 2914 40111 40111 65003 ) 66.110.218.0/24 (path: 2914 40111 40111 65003 ) 66.110.219.0/24 (path: 2914 40111 40111 65003 ) 66.134.0.0/16 (path: 2914 2828 18566 ) contains: 66.134.62.0/24 (path: 2914 2828 18566 65505 ) 66.134.72.0/24 (path: 2914 2828 18566 65505 ) 66.134.75.0/24 (path: 2914 2828 18566 65505 ) 66.194.0.0/16 (path: 2914 3356 4323 ) contains: 66.194.233.0/24 (path: 2914 174 36188 65009 ) 67.100.0.0/14 (path: 2914 2828 18566 ) contains: 67.100.42.0/24 (path: 2914 2828 18566 65515 ) 67.103.100.0/23 (path: 2914 2828 18566 65505 ) 67.206.64.0/19 (path: 2914 2828 16399 26895 ) contains: 67.206.84.0/24 (path: 2914 2828 16399 26895 64533 64533 64533 64533 64533 64533 64533 ) 69.10.192.0/19 (path: 2914 11404 18530 18530 30170 20394 ) contains: 69.10.192.0/20 (path: 2914 20394 65503 65530 ) 69.166.128.0/19 (path: 2914 7029 7349 ) contains: 69.166.142.0/24 (path: 2914 7029 7349 64900 ) 70.128.0.0/12 (path: 2914 7018 ) contains: 70.134.46.0/24 (path: 2914 14265 46926 65001 46926 46926 46926 46926 46926 46926 46926 46926 ) 71.252.0.0/17 (path: 2914 701 ) contains: 71.252.67.0/24 (path: 2914 701 64512 ) 72.15.144.0/20 (path: 2914 812 812 812 ) contains: 72.15.149.0/24 (path: 2914 6461 15290 19835 812 812 812 812 4264800030 ) 74.213.144.0/20 (path: 2914 7029 7349 ) contains: 74.213.146.0/24 (path: 2914 7029 7349 64900 ) 79.139.72.0/21 (path: 2914 174 24709 29232 ) contains: 79.139.76.0/24 (path: 2914 174 24709 29232 65007 ) 79.139.77.0/24 (path: 2914 174 24709 29232 65008 ) 79.172.0.0/18 (path: 2914 174 5563 ) contains: 79.172.48.0/24 (path: 2914 9002 5563 65300 5563 ) 79.172.7.0/24 (path: 2914 9002 5563 65300 5563 ) 79.172.16.0/21 (path: 2914 9002 5563 65300 5563 ) 8.0.0.0/8 (path: 2914 3356 ) contains: 8.41.195.0/24 (path: 2914 13789 13789 13789 13789 30372 65603 ) 80.90.160.0/20 (path: 2914 3257 48832 48832 48832 48832 48832 48832 48832 48832 48832 48832 65545 ) contains: 80.90.160.0/21 (path: 2914 3257 48832 48832 48832 48832 48832 48832 48832 48832 48832 48832 65545 ) 82.113.96.0/19 (path: 2914 6805 39706 ) contains: 82.113.112.0/23 (path: 2914 6805 39706 65002 ) 82.113.124.0/22 (path: 2914 6805 39706 65004 ) 84.44.0.0/17 (path: 2914 8928 15924 ) contains: 84.44.37.0/24 (path: 2914 8928 15924 65121 ) 86.51.0.0/16 (path: 2914 3257 48237 35819 ) contains: 86.51.177.0/24 (path: 2914 3356 48237 35819 65557 ) 91.229.96.0/22 (path: 2914 3257 12389 25549 56957 56957 56957 56957 56957 ) contains: 91.229.99.0/24 (path: 2914 174 12389 25549 56957 56957 56957 56957 56957 65157 ) 91.230.232.0/24 (path: 2914 31313 48338 ) contains: 91.230.232.128/27 (path: 2914 31313 48338 65534 ) 92.240.218.0/23 (path: 2914 9002 39735 ) contains: 92.240.218.0/24 (path: 2914 9002 39735 65001 ) 92.240.219.0/24 (path: 2914 9002 39735 65001 ) 92.245.128.0/19 (path: 2914 6461 8218 48072 ) contains: 92.245.153.0/24 (path: 2914 1299 29075 48072 48072 65623 31167 ) 92.245.154.0/23 (path: 2914 1299 29075 48072 48072 65623 31167 ) 92.245.146.0/24 (path: 2914 174 48072 31167 65623 ) 92.245.148.0/24 (path: 2914 174 48072 31167 65623 ) 92.245.141.0/24 (path: 2914 1299 29075 48072 48072 65623 31167 ) 92.245.128.0/24 (path: 2914 174 48072 31167 65623 ) 92.245.134.0/24 (path: 2914 6461 8218 48072 48072 65623 31167 ) 92.245.135.0/24 (path: 2914 6461 8218 48072 48072 65623 31167 ) 93.170.0.0/15 (path: 2914 3257 50245 44546 ) contains: 93.171.227.0/24 (path: 2914 12389 34205 34205 65001 61014 ) 94.103.16.0/20 (path: 2914 47886 ) contains: 94.103.25.0/24 (path: 2914 174 36180 64842 ) 94.242.128.0/18 (path: 2914 12389 44237 15468 ) contains: 94.242.128.0/20 (path: 2914 12389 15468 65001 ) 94.242.160.0/20 (path: 2914 12389 15468 65001 ) 94.242.176.0/20 (path: 2914 12389 15468 65001 ) 94.242.168.0/24 (path: 2914 12389 15468 65001 ) 94.242.144.0/20 (path: 2914 12389 15468 65001 ) 94.242.144.0/24 (path: 2914 12389 15468 65001 ) 94.242.149.0/24 (path: 2914 12389 15468 65001 ) 94.242.150.0/24 (path: 2914 12389 15468 65001 ) 94.242.151.0/24 (path: 2914 12389 15468 65001 ) 94.247.224.0/21 (path: 2914 702 3252 12963 ) contains: 94.247.231.0/24 (path: 2914 702 3252 12963 64564 ) 95.86.192.0/19 (path: 2914 12389 13118 13118 ) contains: 95.86.212.0/22 (path: 2914 12389 13118 13118 65001 )
Hi Job, And by the way could you please let me know what is the current status of implementing so called "IRR Lockdown" in NTT? If I remember correctly you planned in NTT to filter out route announcements for prefixes present in RIPE but not having correct Route Registry in RIPE. I'm just asking for my curiosity what is the current status for that plan? Regards, Rafał -----Original Message----- From: routing-wg [mailto:routing-wg-bounces@ripe.net] On Behalf Of Job Snijders Sent: Friday, June 03, 2016 10:26 AM To: Hank Nussbacher Cc: routing-wg@ripe.net Subject: Re: [routing-wg] Bogon ASN Filter Policy Dear Hank, On Fri, Jun 03, 2016 at 07:53:50AM +0300, Hank Nussbacher wrote:
On 02/06/2016 22:43, Job Snijders wrote:
Bogon ASNs are currently defined as following:
0 # Reserved RFC7607 23456 # AS_TRANS RFC6793 64496-64511 # Reserved for use in docs and code RFC5398 64512-65534 # Reserved for Private Use RFC6996 65535 # Reserved RFC7300 65536-65551 # Reserved for use in docs and code RFC5398 65552-131071 # Reserved 4200000000-4294967294 # Reserved for Private Use RFC6996 4294967295 # Reserved RFC7300
References: [3]: https://urldefense.proofpoint.com/v2/url?u=https-3A__www.iana.org_as signments_as-2Dnumbers_as-2Dnumbers.xhtml&d=CwIBAg&c=4ZIZThykDLcoWk- GVjSLm9hvvvzvGv0FLoWSRuCSs5Q&r=uSdRM1m6v9tUqQwN60nzfridakyp61O-UW1qU Yv1tD30FWDjrpwJLIAUAzixBHEl&m=HLy7uM0lDPsSRp8FdQB63oADyiOAGD6FIdn82m wGbMw&s=XLed_bmiDNrZhBhokPQiphHemz9v4tt9WumdCbpfIzE&e= [4]: https://urldefense.proofpoint.com/v2/url?u=http-3A__as2914.net_bogon -5Fasns_configuration-5Fexamples.txt&d=CwIBAg&c=4ZIZThykDLcoWk-GVjSL m9hvvvzvGv0FLoWSRuCSs5Q&r=uSdRM1m6v9tUqQwN60nzfridakyp61O-UW1qUYv1tD 30FWDjrpwJLIAUAzixBHEl&m=HLy7uM0lDPsSRp8FdQB63oADyiOAGD6FIdn82mwGbMw &s=dXt6rcsVW4C2mInLad5sgRnMPjbto86h_xcZWIQwdxs&e=
You guys are my heroes! If 4-5 tier-0 ISPs would do exactly this, bogus ASNs would disappear in a week.
GTT also committed to deploying the same filter: https://urldefense.proofpoint.com/v2/url?u=http-3A__mailman.nanog.org_pipermail_nanog_2016-2DJune_086081.html&d=CwIBAg&c=4ZIZThykDLcoWk-GVjSLm9hvvvzvGv0FLoWSRuCSs5Q&r=uSdRM1m6v9tUqQwN60nzfridakyp61O-UW1qUYv1tD30FWDjrpwJLIAUAzixBHEl&m=HLy7uM0lDPsSRp8FdQB63oADyiOAGD6FIdn82mwGbMw&s=jE5dtddA2esYPL2A5xBNFOXEKxJM2UME_CGPkbun0tM&e=
Instead everyone talks while > the problem gets larger (now over 5000): https://urldefense.proofpoint.com/v2/url?u=http-3A__www.cidr-2Dreport. org_as2.0_bogus-2Das-2Dadvertisements.html&d=CwIBAg&c=4ZIZThykDLcoWk-G VjSLm9hvvvzvGv0FLoWSRuCSs5Q&r=uSdRM1m6v9tUqQwN60nzfridakyp61O-UW1qUYv1 tD30FWDjrpwJLIAUAzixBHEl&m=HLy7uM0lDPsSRp8FdQB63oADyiOAGD6FIdn82mwGbMw &s=Cr08hxsI50KJyoGlekgDcCtBZfesRWF6U6Vqn8iBNJ8&e=
I'd like to clear up some potential for confusion: we only targetting what has been defined in the list at the top of this email, not what are considered "unallocated" ASNs. (Although we do monitor for that and resolve any adjacencies we might have with such ASNs). Below is a copy+paste from the weekly report which drives our outreach effort. We recognise two types of prefixes: "Problem prefixes" and "problems resolved by a less specific". It seems likely that the "saved by overlapping less-specific" ones are the result of accidental exposure of something that should remain internal, and the "problem prefixes" are likely to be misconfigurations or software issues. Hopefully, by the time we deploy the new policy, all of these have been resolved. If not, we're probbly looking at the low hundreds, not 5000. Kind regards, Job ---------- report below ----------- Subject: Weekly report: ASN Bogon Filter impact - 2016.06.02 Dear reader, This is an automated report to provide insight into the effects of the new Bogon ASN as-path filters NTT will deploy in July 2016. This script parses a full table RIB dump as seen from a customer perspective (kiera.meerval.net in Amsterdam) and searches which prefixes would be dropped without causing too much concern, and which prefixes will fall off the routing table. Bogon ASNs are defined as: 0, 23456, 64496-131071, 4200000000-4294967295 Problem prefixes: (140 issues) ----------------------------- 172.86.191.0/24 (path: 2914 174 32489 65535 ) 143.0.108.0/22 (path: 2914 174 18747 64339 ) 185.5.141.0/24 (path: 2914 174 5563 65300 5563 ) 104.254.94.0/24 (path: 2914 174 32489 65535 ) 185.52.40.0/22 (path: 2914 174 2116 64329 ) 185.121.40.0/22 (path: 2914 174 35369 65369 4200000001 ) 195.88.106.0/23 (path: 2914 174 2116 64329 ) 23.111.250.0/24 (path: 2914 174 15003 15003 15003 15003 15003 15003 15003 64666 ) 2a07:7ec7:3c00::/38 (path: 2914 174 20473 65534 64515 64539 ) 2a07:7ec6:2c00::/38 (path: 2914 174 20473 65534 64515 64539 ) 2a07:7ec6:7800::/38 (path: 2914 174 20473 65534 64515 64539 ) 2a07:7ec4:4000::/38 (path: 2914 174 20473 65534 64515 64539 ) 2a07:7ec4:f800::/38 (path: 2914 174 20473 65534 64515 64539 ) 108.57.142.0/23 (path: 2914 701 64512 ) 108.57.144.0/21 (path: 2914 701 64512 ) 108.57.152.0/21 (path: 2914 701 64512 ) 46.229.74.0/23 (path: 2914 1273 12389 25549 65526 ) 122.15.0.0/16 (path: 2914 1273 55410 26685 55917 65001 65002 65003 134007 134041 134304 ) 112.133.192.0/18 (path: 2914 1273 55410 24186 45851 59194 64608 ) 182.19.80.0/21 (path: 2914 1273 55410 58906 65001 ) 176.103.176.0/20 (path: 2914 1299 24589 23456 ) 176.103.192.0/21 (path: 2914 1299 24589 23456 ) 2a00:75e0::/32 (path: 2914 1299 2116 64329 ) 208.78.104.0/21 (path: 2914 2828 13703 22626 64512 ) 103.197.240.0/22 (path: 2914 3257 9498 9730 23456 ) 103.199.88.0/22 (path: 2914 3257 9498 9730 23456 ) 137.59.8.0/22 (path: 2914 3257 9498 9730 23456 ) 103.225.224.0/22 (path: 2914 3257 9498 9730 23456 ) 111.235.148.0/22 (path: 2914 3257 9498 9730 23456 ) 80.90.160.0/20 (path: 2914 3257 48832 48832 48832 48832 48832 48832 48832 48832 48832 48832 65545 ) 188.247.64.0/19 (path: 2914 3257 48832 48832 48832 48832 48832 48832 48832 48832 48832 48832 65545 ) 192.96.139.0/24 (path: 2914 3356 11845 65610 ) 186.226.16.0/20 (path: 2914 3356 3549 16594 23456 262763 ) 91.233.214.0/23 (path: 2914 3356 24589 23456 ) 194.169.32.0/20 (path: 2914 4589 8190 4200000246 ) 2001:df0:458::/48 (path: 2914 4755 18229 64701 65502 65309 ) 103.57.64.0/22 (path: 2914 4755 133987 65350 ) 162.247.245.0/24 (path: 2914 6327 55117 64512 ) 103.12.168.0/24 (path: 2914 6453 6453 4755 132329 132329 132329 132329 23456 23456 23456 ) 185.103.109.0/24 (path: 2914 6461 43350 23456 ) 31.220.112.0/21 (path: 2914 6663 31317 65528 ) 190.13.94.0/24 (path: 2914 6762 7303 262195 23456 52351 ) 200.59.127.0/24 (path: 2914 6762 7303 262195 23456 262195 262195 10617 ) 200.59.120.0/24 (path: 2914 6762 7303 262195 23456 262195 262195 10617 ) 200.59.121.0/24 (path: 2914 6762 7303 262195 23456 262195 262195 10617 ) 200.0.209.0/24 (path: 2914 6762 7303 262195 23456 7005 7005 7005 ) 200.0.210.0/24 (path: 2914 6762 7303 262195 23456 7005 7005 7005 ) 200.0.211.0/24 (path: 2914 6762 7303 262195 23456 7005 7005 7005 ) 2a07:33c0::/29 (path: 2914 6830 12676 54431 65100 ) 192.108.127.0/24 (path: 2914 7029 393543 65001 ) 70.40.139.0/24 (path: 2914 7029 19397 64712 ) 93.95.176.0/24 (path: 2914 8928 15924 65411 ) 79.170.168.0/24 (path: 2914 8928 15924 65411 ) 213.252.251.0/24 (path: 2914 9002 9002 9002 9002 9002 42979 201201 199527 65529 199527 199527 ) 2a03:7380:4000::/42 (path: 2914 9002 13188 64604 ) 2a03:7380:4040::/42 (path: 2914 9002 13188 64604 ) 91.102.64.0/21 (path: 2914 9009 9009 9009 65433 ) 185.91.236.0/23 (path: 2914 9009 9009 9009 65052 ) 93.113.208.0/22 (path: 2914 9009 6910 65002 ) 103.16.229.0/24 (path: 2914 9304 133398 64513 ) 103.195.54.0/24 (path: 2914 9498 58601 24323 65005 64058 ) 103.195.55.0/24 (path: 2914 9498 58601 24323 65005 64058 ) 2400:5200:1400::/40 (path: 2914 9498 55410 38266 65001 65010 ) 188.65.30.0/24 (path: 2914 9498 8529 8529 8529 8529 8529 8529 8529 8529 28885 65535 15679 15679 ) 188.65.31.0/24 (path: 2914 9498 8529 8529 8529 8529 8529 8529 8529 8529 28885 65535 15679 15679 ) 188.65.26.0/24 (path: 2914 9498 8529 8529 8529 8529 8529 8529 8529 8529 28885 65535 15679 15679 15679 15679 15679 15679 15679 ) 188.65.27.0/24 (path: 2914 9498 8529 8529 8529 8529 8529 8529 8529 8529 28885 65535 15679 15679 15679 15679 15679 15679 15679 ) 188.65.24.0/24 (path: 2914 9498 8529 8529 8529 8529 8529 8529 8529 8529 28885 65535 15679 15679 ) 188.65.25.0/24 (path: 2914 9498 8529 8529 8529 8529 8529 8529 8529 8529 28885 65535 15679 15679 ) 210.24.208.0/24 (path: 2914 10026 4628 9255 65010 ) 210.24.209.0/24 (path: 2914 10026 4628 9255 65010 ) 210.24.216.0/24 (path: 2914 10026 4628 9255 65010 ) 210.24.218.0/24 (path: 2914 10026 4628 9255 65010 ) 210.24.219.0/24 (path: 2914 10026 4628 9255 65010 ) 210.24.212.0/24 (path: 2914 10026 4628 9255 65010 ) 210.24.214.0/24 (path: 2914 10026 4628 9255 65010 ) 210.24.210.0/24 (path: 2914 10026 4628 9255 65010 ) 142.148.224.0/24 (path: 2914 12179 14630 64512 ) 142.148.225.0/24 (path: 2914 12179 14630 64512 ) 46.151.104.0/21 (path: 2914 12389 21453 49893 50802 65001 ) 5.143.176.0/20 (path: 2914 12389 15468 65001 ) 195.135.240.0/22 (path: 2914 12389 21453 49893 50802 65001 ) 192.150.214.0/23 (path: 2914 13768 65013 ) 208.86.242.0/24 (path: 2914 14265 46926 65001 46926 46926 46926 46926 46926 46926 ) 192.16.2.0/24 (path: 2914 15133 65405 ) 192.16.3.0/24 (path: 2914 15133 65405 ) 178.173.158.0/24 (path: 2914 15412 12880 31549 65533 1756 ) 178.173.159.0/24 (path: 2914 15412 12880 31549 65533 1756 ) 178.173.156.0/24 (path: 2914 15412 12880 31549 65533 1756 ) 178.173.157.0/24 (path: 2914 15412 12880 31549 65533 1756 ) 178.173.154.0/24 (path: 2914 15412 12880 31549 65533 1756 ) 178.173.155.0/24 (path: 2914 15412 12880 31549 65533 1756 ) 178.173.152.0/24 (path: 2914 15412 12880 31549 65533 1756 ) 178.173.153.0/24 (path: 2914 15412 12880 31549 65533 1756 ) 178.173.147.0/24 (path: 2914 15412 12880 31549 65533 1756 ) 178.173.148.0/24 (path: 2914 15412 12880 31549 65533 1756 ) 178.173.128.0/24 (path: 2914 15412 12880 31549 65533 1756 ) 178.173.142.0/24 (path: 2914 15412 12880 31549 65533 1756 ) 178.173.143.0/24 (path: 2914 15412 12880 31549 65533 1756 ) 178.173.140.0/24 (path: 2914 15412 12880 31549 65533 1756 ) 178.173.141.0/24 (path: 2914 15412 12880 31549 65533 1756 ) 178.173.217.0/24 (path: 2914 15412 12880 31549 65533 1756 ) 178.173.222.0/24 (path: 2914 15412 12880 31549 65533 1756 ) 178.173.223.0/24 (path: 2914 15412 12880 31549 65533 1756 ) 178.173.220.0/24 (path: 2914 15412 12880 31549 65533 1756 ) 178.173.221.0/24 (path: 2914 15412 12880 31549 65533 1756 ) 178.173.206.0/24 (path: 2914 15412 12880 31549 65533 1756 ) 178.173.204.0/24 (path: 2914 15412 12880 31549 65533 1756 ) 178.173.205.0/24 (path: 2914 15412 12880 31549 65533 1756 ) 178.173.190.0/24 (path: 2914 15412 12880 31549 65533 1756 ) 178.173.180.0/24 (path: 2914 15412 12880 31549 65533 1756 ) 178.173.181.0/24 (path: 2914 15412 12880 31549 65533 1756 ) 178.173.168.0/24 (path: 2914 15412 12880 31549 65533 1756 ) 178.173.169.0/24 (path: 2914 15412 12880 31549 65533 1756 ) 194.69.42.0/24 (path: 2914 15830 65501 21160 21160 ) 91.208.64.0/24 (path: 2914 20485 198816 65005 47593 ) 199.7.166.0/24 (path: 2914 22626 64512 ) 199.7.167.0/24 (path: 2914 22626 64512 ) 208.83.6.0/23 (path: 2914 22626 64512 ) 2620:be:8000::/48 (path: 2914 22773 64514 ) 2602:ff61::/48 (path: 2914 22773 65005 ) 130.0.231.0/24 (path: 2914 23352 39470 18919 65156 ) 143.41.0.0/21 (path: 2914 25180 4200000368 ) 143.41.8.0/21 (path: 2914 25180 4200000501 ) 185.129.208.0/24 (path: 2914 25180 4200000382 ) 185.129.209.0/24 (path: 2914 25180 4200000382 ) 139.143.0.0/16 (path: 2914 25180 4200000318 ) 185.52.36.0/22 (path: 2914 25180 4200000090 ) 195.95.131.0/24 (path: 2914 25180 4200000365 ) 176.122.192.0/23 (path: 2914 25180 4200000402 ) 82.139.64.0/18 (path: 2914 41887 41887 65031 ) 185.117.10.0/24 (path: 2914 44217 65500 ) 185.117.8.0/24 (path: 2914 44217 65500 ) 185.117.9.0/24 (path: 2914 44217 65500 ) 185.117.11.0/24 (path: 2914 44217 65500 ) 91.234.228.0/24 (path: 2914 47872 20771 16010 65009 198874 ) 119.235.130.0/24 (path: 2914 63928 24427 64928 ) 119.235.131.0/24 (path: 2914 63928 24427 64928 ) 119.235.128.0/24 (path: 2914 63928 24427 64928 ) 119.235.129.0/24 (path: 2914 63928 24427 64928 ) resolved by virtue of existing overlapping prefix: -------------------------------------------------- 109.161.0.0/17 (path: 2914 12389 13118 13118 ) contains: 109.161.56.0/24 (path: 2914 12389 13118 13118 65001 ) 109.225.0.0/18 (path: 2914 12389 44237 15468 ) contains: 109.225.32.0/20 (path: 2914 12389 15468 65001 ) 109.225.48.0/20 (path: 2914 12389 15468 65001 ) 109.225.0.0/20 (path: 2914 12389 15468 65001 ) 109.225.16.0/20 (path: 2914 12389 15468 65001 ) 115.127.0.0/18 (path: 2914 132602 132602 132602 132602 132602 58656 24342 ) contains: 115.127.41.0/24 (path: 2914 9498 58655 9230 65534 24342 ) 116.50.64.0/18 (path: 2914 3257 9498 38529 ) contains: 116.50.78.0/23 (path: 2914 9498 38529 64520 ) 116.50.80.0/24 (path: 2914 9498 38529 64520 ) 116.50.90.0/24 (path: 2914 4755 38529 64520 ) 116.50.85.0/24 (path: 2914 9498 38529 64520 ) 123.30.64.0/20 (path: 2914 58453 45899 7643 ) contains: 123.30.74.0/24 (path: 2914 58453 45899 45899 65512 ) 123.30.75.0/24 (path: 2914 58453 45899 45899 65512 ) 124.92.0.0/14 (path: 2914 4837 4837 ) contains: 124.93.212.0/23 (path: 2914 4837 65501 ) 124.93.214.0/23 (path: 2914 4837 65501 ) 135.84.176.0/22 (path: 2914 13768 54527 ) contains: 135.84.177.0/24 (path: 2914 6327 54527 63213 65002 ) 152.176.0.0/12 (path: 2914 701 ) contains: 152.178.135.0/24 (path: 2914 701 64512 ) 154.72.52.0/23 (path: 2914 174 327797 ) contains: 154.72.52.0/24 (path: 2914 174 327797 65502 ) 157.254.228.0/22 (path: 2914 174 7332 11648 ) contains: 157.254.229.0/24 (path: 2914 4755 65805 ) 167.219.60.0/23 (path: 2914 703 30337 30337 30337 30337 30337 30337 30337 30337 30337 30337 30337 ) contains: 167.219.60.0/24 (path: 2914 4755 30337 65001 ) 173.231.64.0/19 (path: 2914 174 26801 19159 ) contains: 173.231.76.0/24 (path: 2914 174 26801 19159 19159 64573 ) 174.35.0.0/17 (path: 2914 3257 36408 ) contains: 174.35.0.0/24 (path: 2914 14265 65204 ) 178.60.192.0/18 (path: 2914 174 12334 ) contains: 178.60.197.0/24 (path: 2914 174 12334 199949 64555 ) 185.66.84.0/22 (path: 2914 9002 9049 201706 ) contains: 185.66.86.0/24 (path: 2914 9002 9049 201706 65555 ) 188.247.64.0/19 (path: 2914 3257 48832 48832 48832 48832 48832 48832 48832 48832 48832 48832 65545 ) contains: 188.247.72.0/21 (path: 2914 3257 48832 48832 48832 48832 48832 48832 48832 48832 48832 48832 65545 ) 188.65.28.0/23 (path: 2914 9498 8529 8529 8529 8529 8529 8529 8529 8529 28885 ) contains: 188.65.28.0/24 (path: 2914 9498 8529 8529 8529 8529 8529 8529 8529 8529 28885 65535 15679 15679 ) 188.65.29.0/24 (path: 2914 9498 8529 8529 8529 8529 8529 8529 8529 8529 28885 65535 15679 15679 ) 190.131.192.0/18 (path: 2914 23520 ) contains: 190.131.193.0/24 (path: 2914 23520 262191 65499 ) 190.131.198.0/24 (path: 2914 23520 262191 65475 ) 190.68.128.0/19 (path: 2914 12956 3816 ) contains: 190.68.130.0/24 (path: 2914 12956 3816 3816 3816 3816 3816 65329 3816 ) 194.204.192.0/18 (path: 2914 12956 6713 ) contains: 194.204.217.0/24 (path: 2914 174 6713 6713 6713 6713 6713 6713 6713 36956 65375 ) 194.70.0.0/16 (path: 2914 1273 2529 ) contains: 194.70.246.0/24 (path: 2914 1273 65539 ) 195.135.240.0/22 (path: 2914 12389 21453 49893 50802 65001 ) contains: 195.135.240.0/23 (path: 2914 12389 21453 49893 50802 65001 ) 195.135.242.0/23 (path: 2914 12389 21453 49893 50802 65001 ) 195.46.128.0/19 (path: 2914 8928 15924 ) contains: 195.46.147.0/24 (path: 2914 8928 15924 65121 ) 195.87.0.0/16 (path: 2914 8928 15924 8386 ) contains: 195.87.13.0/24 (path: 2914 8928 15924 8386 65412 ) 195.87.42.0/24 (path: 2914 8928 15924 64512 ) 199.204.224.0/22 (path: 2914 3356 4323 40059 ) contains: 199.204.224.0/24 (path: 2914 2828 6181 40059 65433 ) 199.45.32.0/19 (path: 2914 701 ) contains: 199.45.53.0/24 (path: 2914 701 65403 ) 199.45.54.0/24 (path: 2914 701 65403 ) 200.149.0.0/16 (path: 2914 286 7738 ) contains: 200.149.212.0/24 (path: 2914 12956 7738 65017 ) 2001:578::/30 (path: 2914 22773 ) contains: 2001:57a:eff1::/48 (path: 2914 22773 64517 ) 204.76.144.0/21 (path: 2914 2828 6128 63254 ) contains: 204.76.148.0/22 (path: 2914 174 46887 63254 64512 ) 205.177.0.0/16 (path: 2914 3491 ) contains: 205.177.67.0/24 (path: 2914 3491 65536 ) 205.177.68.0/24 (path: 2914 3491 65536 ) 206.154.0.0/19 (path: 2914 209 17402 ) contains: 206.154.0.0/20 (path: 2914 209 4200000006 ) 207.245.64.0/18 (path: 2914 3491 6372 ) contains: 207.245.119.0/24 (path: 2914 2828 6372 65006 ) 207.250.0.0/16 (path: 2914 3356 4323 ) contains: 207.250.99.0/24 (path: 2914 17054 13492 64600 ) 208.78.104.0/21 (path: 2914 2828 13703 22626 64512 ) contains: 208.78.111.0/24 (path: 2914 22626 64512 ) 208.97.0.0/19 (path: 2914 174 31877 ) contains: 208.97.12.0/22 (path: 2914 40111 40111 65003 ) 208.97.19.0/24 (path: 2914 174 31877 65004 ) 212.106.32.0/19 (path: 2914 12389 44237 15468 ) contains: 212.106.48.0/21 (path: 2914 12389 15468 65001 ) 212.106.56.0/21 (path: 2914 12389 15468 65001 ) 212.106.32.0/21 (path: 2914 12389 15468 65001 ) 212.106.40.0/21 (path: 2914 12389 15468 65001 ) 212.139.0.0/16 (path: 2914 13285 13285 13285 13285 13285 13285 13285 9105 ) contains: 212.139.133.0/24 (path: 2914 6453 13285 65160 ) 212.15.0.0/19 (path: 2914 8928 15924 ) contains: 212.15.5.0/24 (path: 2914 8928 15924 65077 ) 212.154.128.0/17 (path: 2914 12389 9198 50482 ) contains: 212.154.167.0/24 (path: 2914 12389 9198 50482 64605 ) 212.154.205.0/24 (path: 2914 12389 9198 50482 64605 ) 212.19.128.0/19 (path: 2914 12389 9198 50482 ) contains: 212.19.130.0/24 (path: 2914 12389 9198 50482 64804 ) 212.26.224.0/19 (path: 2914 12389 12730 ) contains: 212.26.238.0/24 (path: 2914 12389 12730 65001 ) 213.131.64.0/19 (path: 2914 6762 24863 ) contains: 213.131.92.0/22 (path: 2914 15412 24863 37069 64639 ) 213.160.128.0/19 (path: 2914 702 3252 12963 ) contains: 213.160.148.0/24 (path: 2914 702 3252 12963 64564 ) 213.52.192.0/18 (path: 2914 15830 ) contains: 213.52.252.0/22 (path: 2914 15830 65501 39882 ) 217.15.128.0/19 (path: 2914 12389 44237 13118 ) contains: 217.15.137.0/24 (path: 2914 12389 13118 13118 65001 ) 217.15.149.0/24 (path: 2914 12389 13118 13118 65001 ) 217.15.156.0/23 (path: 2914 12389 13118 13118 65001 ) 217.20.32.0/20 (path: 2914 15830 ) contains: 217.20.41.0/24 (path: 2914 15830 65501 39882 ) 221.200.0.0/14 (path: 2914 4837 4837 ) contains: 221.203.248.0/22 (path: 2914 4837 64920 ) 221.203.252.0/22 (path: 2914 4837 64920 ) 221.203.244.0/23 (path: 2914 4837 64920 ) 221.203.246.0/23 (path: 2914 4837 64920 ) 27.248.0.0/14 (path: 2914 9498 10201 10201 10201 10201 10201 10201 ) contains: 27.248.64.0/18 (path: 2914 9498 10201 65500 ) 27.248.128.0/19 (path: 2914 9498 10201 65500 ) 27.248.96.0/19 (path: 2914 9498 10201 65500 ) 31.172.192.0/19 (path: 2914 12389 44237 15468 ) contains: 31.172.192.0/20 (path: 2914 12389 15468 65001 ) 31.172.192.0/21 (path: 2914 12389 15468 65001 ) 31.172.208.0/21 (path: 2914 12389 15468 65001 ) 31.172.216.0/21 (path: 2914 12389 15468 65001 ) 31.172.200.0/21 (path: 2914 12389 15468 65001 ) 37.1.240.0/20 (path: 2914 6461 8218 48072 ) contains: 37.1.241.0/24 (path: 2914 1299 29075 48072 31167 65623 ) 37.1.250.0/23 (path: 2914 6461 8218 48072 48072 65623 31167 ) 37.142.0.0/16 (path: 2914 174 12849 ) contains: 37.142.0.0/17 (path: 2914 174 12849 12849 21450 65024 65500 ) 37.235.32.0/21 (path: 2914 8928 12715 43160 ) contains: 37.235.36.0/24 (path: 2914 174 43160 65501 ) 37.26.104.0/21 (path: 2914 39326 52148 ) contains: 37.26.105.0/24 (path: 2914 34555 64522 ) 38.0.0.0/8 (path: 2914 174 ) contains: 38.88.85.0/24 (path: 2914 174 393544 64532 ) 41.223.84.0/22 (path: 2914 3356 37273 37075 ) contains: 41.223.85.0/24 (path: 2914 9498 36926 65001 ) 41.89.0.0/16 (path: 2914 30844 36914 ) contains: 41.89.7.0/24 (path: 2914 6762 37219 36866 36866 36866 65412 ) 46.151.104.0/21 (path: 2914 12389 21453 49893 50802 65001 ) contains: 46.151.104.0/22 (path: 2914 12389 21453 49893 50802 65001 ) 46.151.108.0/22 (path: 2914 12389 21453 49893 50802 65001 ) 46.237.0.0/18 (path: 2914 12389 13118 13118 ) contains: 46.237.32.0/20 (path: 2914 12389 13118 13118 65001 ) 60.16.0.0/13 (path: 2914 4837 4837 ) contains: 60.23.240.0/21 (path: 2914 4837 64920 ) 60.23.248.0/21 (path: 2914 4837 64920 ) 60.23.248.0/24 (path: 2914 4837 65501 ) 60.23.249.0/24 (path: 2914 4837 65501 ) 60.23.246.0/24 (path: 2914 4837 65501 ) 60.23.247.0/24 (path: 2914 4837 65501 ) 64.251.48.0/20 (path: 2914 209 22742 22742 22742 ) contains: 64.251.56.0/24 (path: 2914 174 22742 22742 22742 22742 22742 65150 ) 64.27.240.0/20 (path: 2914 209 16931 ) contains: 64.27.253.0/24 (path: 2914 1273 65538 ) 64.72.224.0/19 (path: 2914 6327 6407 6407 ) contains: 64.72.224.0/24 (path: 2914 812 812 812 4264800033 ) 64.72.226.0/24 (path: 2914 812 812 812 4264800033 ) 64.72.227.0/24 (path: 2914 812 812 812 4264800033 ) 64.83.64.0/20 (path: 2914 7029 ) contains: 64.83.78.0/24 (path: 2914 7029 1785 65233 ) 66.110.192.0/19 (path: 2914 174 31877 ) contains: 66.110.220.0/24 (path: 2914 40111 40111 65003 ) 66.110.218.0/24 (path: 2914 40111 40111 65003 ) 66.110.219.0/24 (path: 2914 40111 40111 65003 ) 66.134.0.0/16 (path: 2914 2828 18566 ) contains: 66.134.62.0/24 (path: 2914 2828 18566 65505 ) 66.134.72.0/24 (path: 2914 2828 18566 65505 ) 66.134.75.0/24 (path: 2914 2828 18566 65505 ) 66.194.0.0/16 (path: 2914 3356 4323 ) contains: 66.194.233.0/24 (path: 2914 174 36188 65009 ) 67.100.0.0/14 (path: 2914 2828 18566 ) contains: 67.100.42.0/24 (path: 2914 2828 18566 65515 ) 67.103.100.0/23 (path: 2914 2828 18566 65505 ) 67.206.64.0/19 (path: 2914 2828 16399 26895 ) contains: 67.206.84.0/24 (path: 2914 2828 16399 26895 64533 64533 64533 64533 64533 64533 64533 ) 69.10.192.0/19 (path: 2914 11404 18530 18530 30170 20394 ) contains: 69.10.192.0/20 (path: 2914 20394 65503 65530 ) 69.166.128.0/19 (path: 2914 7029 7349 ) contains: 69.166.142.0/24 (path: 2914 7029 7349 64900 ) 70.128.0.0/12 (path: 2914 7018 ) contains: 70.134.46.0/24 (path: 2914 14265 46926 65001 46926 46926 46926 46926 46926 46926 46926 46926 ) 71.252.0.0/17 (path: 2914 701 ) contains: 71.252.67.0/24 (path: 2914 701 64512 ) 72.15.144.0/20 (path: 2914 812 812 812 ) contains: 72.15.149.0/24 (path: 2914 6461 15290 19835 812 812 812 812 4264800030 ) 74.213.144.0/20 (path: 2914 7029 7349 ) contains: 74.213.146.0/24 (path: 2914 7029 7349 64900 ) 79.139.72.0/21 (path: 2914 174 24709 29232 ) contains: 79.139.76.0/24 (path: 2914 174 24709 29232 65007 ) 79.139.77.0/24 (path: 2914 174 24709 29232 65008 ) 79.172.0.0/18 (path: 2914 174 5563 ) contains: 79.172.48.0/24 (path: 2914 9002 5563 65300 5563 ) 79.172.7.0/24 (path: 2914 9002 5563 65300 5563 ) 79.172.16.0/21 (path: 2914 9002 5563 65300 5563 ) 8.0.0.0/8 (path: 2914 3356 ) contains: 8.41.195.0/24 (path: 2914 13789 13789 13789 13789 30372 65603 ) 80.90.160.0/20 (path: 2914 3257 48832 48832 48832 48832 48832 48832 48832 48832 48832 48832 65545 ) contains: 80.90.160.0/21 (path: 2914 3257 48832 48832 48832 48832 48832 48832 48832 48832 48832 48832 65545 ) 82.113.96.0/19 (path: 2914 6805 39706 ) contains: 82.113.112.0/23 (path: 2914 6805 39706 65002 ) 82.113.124.0/22 (path: 2914 6805 39706 65004 ) 84.44.0.0/17 (path: 2914 8928 15924 ) contains: 84.44.37.0/24 (path: 2914 8928 15924 65121 ) 86.51.0.0/16 (path: 2914 3257 48237 35819 ) contains: 86.51.177.0/24 (path: 2914 3356 48237 35819 65557 ) 91.229.96.0/22 (path: 2914 3257 12389 25549 56957 56957 56957 56957 56957 ) contains: 91.229.99.0/24 (path: 2914 174 12389 25549 56957 56957 56957 56957 56957 65157 ) 91.230.232.0/24 (path: 2914 31313 48338 ) contains: 91.230.232.128/27 (path: 2914 31313 48338 65534 ) 92.240.218.0/23 (path: 2914 9002 39735 ) contains: 92.240.218.0/24 (path: 2914 9002 39735 65001 ) 92.240.219.0/24 (path: 2914 9002 39735 65001 ) 92.245.128.0/19 (path: 2914 6461 8218 48072 ) contains: 92.245.153.0/24 (path: 2914 1299 29075 48072 48072 65623 31167 ) 92.245.154.0/23 (path: 2914 1299 29075 48072 48072 65623 31167 ) 92.245.146.0/24 (path: 2914 174 48072 31167 65623 ) 92.245.148.0/24 (path: 2914 174 48072 31167 65623 ) 92.245.141.0/24 (path: 2914 1299 29075 48072 48072 65623 31167 ) 92.245.128.0/24 (path: 2914 174 48072 31167 65623 ) 92.245.134.0/24 (path: 2914 6461 8218 48072 48072 65623 31167 ) 92.245.135.0/24 (path: 2914 6461 8218 48072 48072 65623 31167 ) 93.170.0.0/15 (path: 2914 3257 50245 44546 ) contains: 93.171.227.0/24 (path: 2914 12389 34205 34205 65001 61014 ) 94.103.16.0/20 (path: 2914 47886 ) contains: 94.103.25.0/24 (path: 2914 174 36180 64842 ) 94.242.128.0/18 (path: 2914 12389 44237 15468 ) contains: 94.242.128.0/20 (path: 2914 12389 15468 65001 ) 94.242.160.0/20 (path: 2914 12389 15468 65001 ) 94.242.176.0/20 (path: 2914 12389 15468 65001 ) 94.242.168.0/24 (path: 2914 12389 15468 65001 ) 94.242.144.0/20 (path: 2914 12389 15468 65001 ) 94.242.144.0/24 (path: 2914 12389 15468 65001 ) 94.242.149.0/24 (path: 2914 12389 15468 65001 ) 94.242.150.0/24 (path: 2914 12389 15468 65001 ) 94.242.151.0/24 (path: 2914 12389 15468 65001 ) 94.247.224.0/21 (path: 2914 702 3252 12963 ) contains: 94.247.231.0/24 (path: 2914 702 3252 12963 64564 ) 95.86.192.0/19 (path: 2914 12389 13118 13118 ) contains: 95.86.212.0/22 (path: 2914 12389 13118 13118 65001 )
Hi Rafal, On Wed, Jun 08, 2016 at 07:00:54AM +0000, Rafal.Jankowski@thomsonreuters.com wrote:
And by the way could you please let me know what is the current status of implementing so called "IRR Lockdown" in NTT? If I remember correctly you planned in NTT to filter out route announcements for prefixes present in RIPE but not having correct Route Registry in RIPE. I'm just asking for my curiosity what is the current status for that plan?
We are facing two types of challenges: getting all impacted parties to move their route objects to the appropiate place. Secondly, from a software development perspective, it is somewhat difficult to bolt the irrlockdown features we want onto the existing IRRd daemon. We might postpone the irrlockdown until the IRRd roadmap is more clear. We've been toying with the idea to start from scratch in a modern language and create a backwards compatible, easy to extend, daemon which would then be "IRRd 4". Will keep you posted. Kind regards, Job
On 03.06.2016 06:53, Hank Nussbacher wrote:
On 02/06/2016 22:43, Job Snijders wrote:
Dear fellow network operators,
In July 2016, NTT Communications' Global IP Network AS2914 will deploy a new routing policy to block Bogon ASNs from its view of the default-free zone. This notification is provided as a courtesy to the network community at large.
After the Bogon ASN filter policy has been deployed, AS 2914 will not accept route announcements from any eBGP neighbor which contains a Bogon ASN anywhere in the AS_PATH or its atomic aggregate attribute.
The reasoning behind this policy is twofold:
- Private or Reserved ASNs have no place in the public DFZ. Barring these from the DFZ helps improve accountability and dampen accidental exposure of internal routing artifacts.
- All AS2914 devices support 4-byte ASNs. Any occurrence of "23456" in the DFZ is a either a misconfiguration or software issue.
We are undertaking this effort to improve the quality of routing data as part of the global ecosystem. This should improve the security posture and provide additional certainty [1] to those undertaking network troubleshooting.
Bogon ASNs are currently defined as following:
0 # Reserved RFC7607 23456 # AS_TRANS RFC6793 64496-64511 # Reserved for use in docs and code RFC5398 64512-65534 # Reserved for Private Use RFC6996 65535 # Reserved RFC7300 65536-65551 # Reserved for use in docs and code RFC5398 65552-131071 # Reserved 4200000000-4294967294 # Reserved for Private Use RFC6996 4294967295 # Reserved RFC7300
A current overview of what are considered Bogon ASNs is maintained at NTT's Routing Policies page [2]. The IANA Autonomous System Number Registry [3] is closely tracked and the NTT Bogon ASN definitions are updated accordingly.
We encourage network operators to consider deploying similar policies. Configuration examples for various platforms can be found here [4].
NTT staff is monitoring current occurrences of Bogon ASNs in the routing system and reaching out to impacted parties on a weekly basis.
Kind regards,
Job
Contact persons:
Job Snijders <job@ntt.net>, Jared Mauch <jmauch@us.ntt.net>, NTT Communications NOC <noc@ntt.net>
References: [1]: https://tools.ietf.org/html/draft-thomson-postel-was-wrong-00 [2]: http://www.us.ntt.net/support/policy/routing.cfm#bogon [3]: https://www.iana.org/assignments/as-numbers/as-numbers.xhtml [4]: http://as2914.net/bogon_asns/configuration_examples.txt
You guys are my heroes! If 4-5 tier-0 ISPs would do exactly this, bogus ASNs would disappear in a week. Instead everyone talks while the problem gets larger (now over 5000): http://www.cidr-report.org/as2.0/bogus-as-advertisements.html
Indeed, well done! You may want to give a hand to the IXP which run route servers as well, Hank. Most of them do excellent filtering. Not only on ASN but also on prefixes. Besides bogus AS advertisements route leaks are the other plague we have to fight with. Here also most of the IXP RS take care that this doesn't happen. Cheers, Arnold -- Arnold Nipper Chief Technology Evangelist and Co-Founder DE-CIX Management GmbH | Lindleystrasse 12 | 60314 Frankfurt am Main | Germany | www.de-cix.net | Phone +49 69 1730902 22 | Mobile +49 172 2650958 | Fax +49 69 4056 2716 | arnold.nipper@de-cix.net | Geschaeftsfuehrer Harald A. Summa | Registergericht AG Koeln HRB 51135
On 02/06/2016 22:43, Job Snijders wrote:
In July 2016, NTT Communications' Global IP Network AS2914 will deploy a new routing policy to block Bogon ASNs from its view of the default-free zone. This notification is provided as a courtesy to the network community at large. After the Bogon ASN filter policy has been deployed, AS 2914 will not accept route announcements from any eBGP neighbor which contains a Bogon ASN anywhere in the AS_PATH or its atomic aggregate attribute.
The reasoning behind this policy is twofold:
- Private or Reserved ASNs have no place in the public DFZ. Barring these from the DFZ helps improve accountability and dampen accidental exposure of internal routing artifacts.
- All AS2914 devices support 4-byte ASNs. Any occurrence of "23456" in the DFZ is a either a misconfiguration or software issue.
Even though this is something "simple" and less likely to prevent the bigger bad things from happening (well, still could, but even AS200759's incident in April might not have been prevented), every little piece helps - and might trigger affected ISPs to check and cleanup their configuration. Thus a strong +1. And others are encouraged to do the same (if not already doing it). However, one note I like to add here: Some older JunOSes (probably IOSes as well) do not remove 32bit RFC6996 ASNs with remove-private (remove-private-as) from the path. In case one runs an older version (for whatever reasons) and make use of RFC6996 32bit ASNs, better check now. IIRC (but that's 1+ year ago e.g. 12.3 will never see a proper 32bit aware remove-private version, 13.3 and 14.1 started to support it with some R# release ... ups, that's more j-nsp than routing-wg, sorry ;-). Markus PS: In case someone is concerned ... AS286 rejects (usually) prefixes with RFC6996 ASNs since years ... and hardly hit any real connectivity problems (at least not one which couldn't be solved). Fair enough, it might end different for others ... depending on the traffic relation to these dropped networks. This probably changes if other ISPs suddenly start to filter these prefixes out as well and downstreams don't see it anymore from other upstreams ... but at least we are then not the only ones unable to reach the "problem prefixes" and the pressure towards the "bad ISP" is getting higher to finally fix it. And we commit to update our filters to Job's "extended" version before July, which will kick out another ~30 prefixes from our table soon ... -- Darmstädter Landstrasse 184 | 60598 Frankfurt | Germany +49 (0)178 5352346 | <Markus.Weber@kpn.DE> | www.kpn.de KPN EuroRings Germany B.V. | Niederlassung Frankfurt am Main Amtsgericht Frankfurt HRB99781 | USt.IdNr. DE 815496855 Geschäftsführer Jesus Martinez & Pieter Martijn Schelling
On 02/06/16 21:43, Job Snijders wrote:
After the Bogon ASN filter policy has been deployed, AS 2914 will not accept route announcements from any eBGP neighbor which contains a Bogon ASN anywhere in the AS_PATH or its atomic aggregate attribute.
Hi, I have no problem with filtering Bogon ASNs from the AS_PATH. However, I do want to mention that filtering route announcements with Bogon ASNs in the AGGREGATOR attribute will result in dropping the current RIS Routing Beacon announcements. They overload the AGGREGATOR attribute with extra information to encode the time of the announcement, a sequence number, and the originating RRC, into the AGGREGATOR using private ASNs. The schema is documented here: https://www.ripe.net/analyse/internet-measurements/routing-information-servi... This information has been used in many studies into prefix propagation and convergence, flap dampening, etc. If there is a desire to block the propagation of routes with these attributes, we will need to investigate alternatives to the current beacon encoding. We are, of course, happy to consider any community input into how this should be handled. Kind Regards, Colin </hat="RIS"> -- Colin Petrie Systems Engineer RIPE NCC
Hi Colin, On Mon, Jun 13, 2016 at 04:19:38PM +0200, Colin Petrie wrote:
On 02/06/16 21:43, Job Snijders wrote:
After the Bogon ASN filter policy has been deployed, AS 2914 will not accept route announcements from any eBGP neighbor which contains a Bogon ASN anywhere in the AS_PATH or its atomic aggregate attribute.
However, I do want to mention that filtering route announcements with Bogon ASNs in the AGGREGATOR attribute will result in dropping the current RIS Routing Beacon announcements.
This is an astute observation! Thanks for spotting that :)
If there is a desire to block the propagation of routes with these attributes, we will need to investigate alternatives to the current beacon encoding.
We are, of course, happy to consider any community input into how this should be handled.
The aggregator IP address can still be used to encode information. I recommend using AS 3333 as the aggregator AS. Furthermore one could use 32-bit BGP communities (and possibly extended BGP communities too for a level of information redundancy) to encode additional meta information. Kind regards, Job
Dear Job, First of all - I admire that huge ASes are ready to become pioneers and adopt new techniques to stop route propagation of bogon routes. Leading by example - is a perfect way to start curing current ecosystem of BGP. But I have security consideration that filtering isn't a proper mechanism to reach this goal. Imagine next situation - if transit accidently prepends its paths with private AS number it will result in DoS for all stub networks connected to this transit. I think, better way is deprioritize bogon routes - this will stop propagation of such routes if there is any alternative and will not affect reachability in other cases. 2016-06-02 22:43 GMT+03:00 Job Snijders <job@ntt.net>:
Dear fellow network operators,
In July 2016, NTT Communications' Global IP Network AS2914 will deploy a new routing policy to block Bogon ASNs from its view of the default-free zone. This notification is provided as a courtesy to the network community at large.
After the Bogon ASN filter policy has been deployed, AS 2914 will not accept route announcements from any eBGP neighbor which contains a Bogon ASN anywhere in the AS_PATH or its atomic aggregate attribute.
The reasoning behind this policy is twofold:
- Private or Reserved ASNs have no place in the public DFZ. Barring these from the DFZ helps improve accountability and dampen accidental exposure of internal routing artifacts.
- All AS2914 devices support 4-byte ASNs. Any occurrence of "23456" in the DFZ is a either a misconfiguration or software issue.
We are undertaking this effort to improve the quality of routing data as part of the global ecosystem. This should improve the security posture and provide additional certainty [1] to those undertaking network troubleshooting.
Bogon ASNs are currently defined as following:
0 # Reserved RFC7607 23456 # AS_TRANS RFC6793 64496-64511 # Reserved for use in docs and code RFC5398 64512-65534 # Reserved for Private Use RFC6996 65535 # Reserved RFC7300 65536-65551 # Reserved for use in docs and code RFC5398 65552-131071 # Reserved 4200000000-4294967294 # Reserved for Private Use RFC6996 4294967295 # Reserved RFC7300
A current overview of what are considered Bogon ASNs is maintained at NTT's Routing Policies page [2]. The IANA Autonomous System Number Registry [3] is closely tracked and the NTT Bogon ASN definitions are updated accordingly.
We encourage network operators to consider deploying similar policies. Configuration examples for various platforms can be found here [4].
NTT staff is monitoring current occurrences of Bogon ASNs in the routing system and reaching out to impacted parties on a weekly basis.
Kind regards,
Job
Contact persons:
Job Snijders <job@ntt.net>, Jared Mauch <jmauch@us.ntt.net>, NTT Communications NOC <noc@ntt.net>
References: [1]: https://tools.ietf.org/html/draft-thomson-postel-was-wrong-00 [2]: http://www.us.ntt.net/support/policy/routing.cfm#bogon [3]: https://www.iana.org/assignments/as-numbers/as-numbers.xhtml [4]: http://as2914.net/bogon_asns/configuration_examples.txt
-- | Alexander Azimov | HLL l QRATOR | tel.: +7 499 241 81 92 | mob.: +7 915 360 08 86 | skype: mitradir | mailto: aa@qrator.net | visit: www.qrator.net
On Tue, Jun 14, 2016 at 04:51:40PM +0300, Alexander Azimov wrote:
[filtering bogon ASes] But I have security consideration that filtering isn't a proper mechanism to reach this goal. Imagine next situation - if transit accidently prepends its paths with private AS number it will result in DoS for all stub networks connected to this transit. I think, better way is deprioritize bogon routes - this will stop propagation of such routes if there is any alternative and will not affect reachability in other cases.
Hi Alexander, maybe I miss your point, but what would you do if the mentioned transit provider (being DoSed) would "accidently" filter out/suppress announcing its stub network's prefixes? Or start to blackhole them? Mistakes happen, but you can't ask the global community to implement RFC violating workarounds for such incidents. RFC6996 clearly states: Private Use ASNs MUST be removed from AS path attributes (...) before being advertised to the global Internet. Just accepting them with a lower local pref will not make anyone change sometime ... as broken setups would still continue to work. And if the transit provider already "accidently" prepends with private ASNs to his peers ... what would stop him from doing other crazy things (like leaking internally used more specifics of well known CDN providers)? And what would protect the Internet from being hit by this? Filters, but not lowering local-pref. Filtering out prefixes with bogon ASNs in the path is for sure not the biggest security improvement - but every little step helps. Markus -- Darmstaedter Landstrasse 184 | 60598 Frankfurt | Germany +49 (0)178 5352346 | <Markus.Weber@kpn.DE> | www.kpn.de KPN EuroRings Germany B.V. | Niederlassung Frankfurt am Main Amtsgericht Frankfurt HRB99781 | USt.IdNr. DE 815496855 Geschaeftsfuehrer Jesus Martinez & Pieter Martijn Schelling
On Jun 14, 2016, at 9:51 AM, Alexander Azimov <aa@qrator.net> wrote:
But I have security consideration that filtering isn't a proper mechanism to reach this goal. Imagine next situation - if transit accidently prepends its paths with private AS number it will result in DoS for all stub networks connected to this transit. I think, better way is deprioritize bogon routes - this will stop propagation of such routes if there is any alternative and will not affect reachability in other cases.
With the types of hijacks and abuse that are ongoing and continue, one must have some minimum standards to be met. Not using a private ASN or sending 23456/AS_TRANS should not be routed at all. - Jared
Hi, On Tue, Jun 14, 2016 at 04:51:40PM +0300, Alexander Azimov wrote:
But I have security consideration that filtering isn't a proper mechanism to reach this goal. Imagine next situation - if transit accidently prepends its paths with private AS number it will result in DoS for all stub networks connected to this transit.
This is good. A transit ISP stupid enough to make such mistakes need to pay in blood and money. Gert Doering -- NetMaster -- have you enabled IPv6 on something today...? SpaceNet AG Vorstand: Sebastian v. Bomhard Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279
Am 14.06.2016 um 20:43 schrieb Gert Doering <gert@space.net>:
Hi,
On Tue, Jun 14, 2016 at 04:51:40PM +0300, Alexander Azimov wrote:
But I have security consideration that filtering isn't a proper mechanism to reach this goal. Imagine next situation - if transit accidently prepends its paths with private AS number it will result in DoS for all stub networks connected to this transit.
This is good. A transit ISP stupid enough to make such mistakes need to pay in blood and money.
+1 -- Sebastian Becker sb@lab.dtag.de
Dear colleagues, I've made small observation to check existence of alternative paths - from more then 8k prefixes, that are announced by private ASNs, only 2k of them have alternative with not-private origin. So I waive from my suggestion, it's not going to work. Thank you all for comments! 2016-06-15 16:16 GMT+03:00 Sebastian Becker <sb@lab.dtag.de>:
Am 14.06.2016 um 20:43 schrieb Gert Doering <gert@space.net>:
Hi,
But I have security consideration that filtering isn't a proper mechanism to reach this goal. Imagine next situation - if transit accidently
On Tue, Jun 14, 2016 at 04:51:40PM +0300, Alexander Azimov wrote: prepends
its paths with private AS number it will result in DoS for all stub networks connected to this transit.
This is good. A transit ISP stupid enough to make such mistakes need to pay in blood and money.
+1
-- Sebastian Becker sb@lab.dtag.de
-- | Alexander Azimov | HLL l QRATOR | tel.: +7 499 241 81 92 | mob.: +7 915 360 08 86 | skype: mitradir | mailto: aa@qrator.net | visit: www.qrator.net
Hi, Op 14 jun. 2016, om 20:43 heeft Gert Doering <gert@space.net> het volgende geschreven:
This is good. A transit ISP stupid enough to make such mistakes need to pay in blood and money.
+1 Sander
Hi,
On 14.06.2016, at 20:43, Gert Doering <gert@space.net> wrote:
Hi,
On Tue, Jun 14, 2016 at 04:51:40PM +0300, Alexander Azimov wrote:
But I have security consideration that filtering isn't a proper mechanism to reach this goal. Imagine next situation - if transit accidently prepends its paths with private AS number it will result in DoS for all stub networks connected to this transit.
This is good. A transit ISP stupid enough to make such mistakes need to pay in blood and money.
+1 -- DI (FH) Michael Perzi UniVie / ACOnet / VIX michael.perzi@univie.ac.at // MP4729-RIPE Tel: +43 1 4277 - 14083 // Fax: - 814038
Tue, Jun 14, 2016 at 04:51:40PM +0300, Alexander Azimov:
But I have security consideration that filtering isn't a proper mechanism to reach this goal. Imagine next situation - if transit accidently prepends its paths with private AS number it will result in DoS for all stub networks connected to this transit. I think, better way is deprioritize bogon routes - this will stop propagation of such routes if there is any alternative and will not affect reachability in other cases.
These should not appear in the DFZ. I can think of no better way to encourage resolution than dropping such routes.
participants (15)
-
Alexander Azimov -
Arnold Nipper -
Colin Petrie -
Gert Doering -
Hank Nussbacher -
heasley -
Jared Mauch -
Job Snijders -
Job Snijders -
Markus Weber -
Michael Perzi -
Netmaster (KPN Eurorings B.V. Germany)
-
Rafal.Jankowski@thomsonreuters.com -
Sander Steffann -
Sebastian Becker