On Thu, Dec 15, 2011 at 11:28:48AM -0500, Drew Weaver wrote:
I could be wrong here but I believe origin-AS uses a lookup from the routing table to figure out what the originAS for the source IP should be (and not what it explicitly IS) which means the information is unreliable.
Using a bit of Cisco jargon, i believe we speak of source peer-AS and asymmetric routing. True what you say but a more accurate information can be achieved by correlation, ie. against the input interface. This leaves open the case of input traffic from a shared medium ie. an IXP. If using sFlow, MAC layer information would be pretty much available for the job; if using NetFlow instead, NetFlow v9 (and IPFIX .. brrr) could come to the rescue .. if was not for lack of implementation of the MAC layer primitives for routed traffic (ie. not switched) by the vendors on the bigger pieces of iron (ie. no ASR1K, software routers, etc.). Cheers, Paolo