On Tue, Jan 13, 2009 at 07:00:34AM -0800, David Barak wrote:
If the concern was a Pilosov/Kapela style hijack, wouldn't the first
Hi Jim... We treated it with P1 until we realized it was a total waste of our time. It was the point of it too... About 6 months ago we had a similar alarm (on the surface) where someone in Europe was advertising our AS number. After some careful checking it seemed to be simply a typo error but after about 20 minutes of it showing up in a path it disappeared and they started actually advertising one of our IP blocks and were able to do so due to lack of proper filtering on their upstream. If we had not been paying attention to this "little detail" it would have taken us more time to react and trace down what we going on - by paying attention we had several details already accounted for. The whole issue lasted about 30 minutes at which point their upstream provider had been notified and cut off their customer until proper filtering was put back into place. I'll admit that was the only time we've ever had an issue or until this new incident an alarm condition. So, now for "academic purposes" we see another alarm and fear the worst. Yes, treating it as a P1 makes sense for us so far - we're batting 50/50 for legit problems with this stuff. Paul -----Original Message----- From: jim deleskie [mailto:deleskie@gmail.com] Sent: Tuesday, January 13, 2009 10:34 AM To: Jared Mauch Cc: NANOG list Subject: Re: Anyone notice strange announcements for 174.128.31.0/24 Jared, Fine which makes it an interesting data point and something to look at after lunch when I'm not doing something else kinda issue. Not something I'm going to treat as a P1 and drop everything work or real life related for. I'm not say it shouldn't be looked it, just that in the grand scheme of the thing its not a huge issue. Kinda like when people feel the need to tune IGP time sub second convergence but do impactful maint on routers or circuits 3-4 times a yr. If you lock the doggie door but leave the front door open the bad guys can walk right in. :) -jim On Tue, Jan 13, 2009 at 11:06 AM, Jared Mauch <jared@puck.nether.net> wrote: thing you'd check be what the address range was? That would lead you straight to Randy, and that should have cleared up the matter straightaway. Remember: the owner of the IP space is the victim, not the ASN which gets prepended into the path...
No, they are both victims. If I inject a path that purports there is an edge between two networks which are engaged in a bitter dispute, (i'll use cogent & sprint as an example) - _1239_174_ that may create a situation where someone asserts that their routes are being filtered when infact no connectivity exists.
Does that mean that I hijacked their identiy and forged it? What level of trust do you place in the AS_PATH for your routing, debugging and decision making process?
Personally, I would be upset if someone injected a route with my ASN in the AS_PATH without my permission.
- Jared
-- Jared Mauch | pgp key available via finger from jared@puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine.
---------------------------------------------------------------------------- "The information transmitted is intended only for the person or entity to which it is addressed and contains confidential and/or privileged material. If you received this in error, please contact the sender immediately and then destroy this transmission, including all attachments, without copying, distributing or disclosing same. Thank you."