question about bogon prefix
Hi everyone, I found many ISP announced bogon prefix, for example: OriginAS Announcement Description AS7018 172.116.0.0/24 unallocated AS209 209.193.112.0/20 unallocated my question is why the tier1 and other ISP announce these unallocated bogon prefixes, and another interesting question is: If I am ISP, can I announce the same bogon prefix(172.116.0.0/24) with AS7018 announced? Will this result in prefix hijacking? Thanks! -- Song Li Room 4-204, FIT Building, Network Security, Department of Electronic Engineering, Tsinghua University, Beijing 100084, China Tel:( +86) 010-62446440 E-mail: refresh.lsong@gmail.com
On Mon, Jun 9, 2014 at 11:00 PM, Song Li <refresh.lsong@gmail.com> wrote:
Hi everyone,
I found many ISP announced bogon prefix, for example:
sad, right?
OriginAS Announcement Description AS7018 172.116.0.0/24 unallocated AS209 209.193.112.0/20 unallocated
my question is why the tier1 and other ISP announce these unallocated bogon
OSS is hard.
prefixes, and another interesting question is:
If I am ISP, can I announce the same bogon prefix(172.116.0.0/24) with AS7018 announced? Will this result in prefix hijacking?
technically you are probably hijacking a hijack :( or something like that.
Thanks!
-- Song Li Room 4-204, FIT Building, Network Security, Department of Electronic Engineering, Tsinghua University, Beijing 100084, China Tel:( +86) 010-62446440 E-mail: refresh.lsong@gmail.com
On 6/9/2014 11:00 PM, Song Li wrote:
Hi everyone,
I found many ISP announced bogon prefix, for example:
OriginAS Announcement Description AS7018 172.116.0.0/24 unallocated AS209 209.193.112.0/20 unallocated
my question is why the tier1 and other ISP announce these unallocated bogon prefixes, and another interesting question is:
You could also ask why are other providers accepting the route, since I could announce 209.193.112.0/20 from my router and my upstream would reject it. Of course, those two ASNs have a huge number of routes so they probably aren't filtered as closely by their peers. But.. even if you're hyper diligent and blocking bogon routes, you'll need to ask yourself why it's not in the bogon list: curl -s http://www.team-cymru.org/Services/Bogons/fullbogons-ipv4.txt | grep 209.193 It's also not on http://www.cymru.com/BGP/bogons.html but 172.116.0.0/24 is. Now, according to this: http://myip.ms/view/ip_addresses/3519115264/209.193.112.0_209.193.112.255 It belongs to the Franciscan Health System. The one IP that is in DNS seems to back this up (it's called mercyvpn.org) Whois Record created: 04 Jan 2005 Whois Record updated: 24 Feb 2012 My guess is one of two things. Maybe they renumbered out of the /20 but left a VPN server up and haven't managed to migrate off it yet, but they have asked to return the block.. or, they forgot to pay their bill to ARIN and the block has been removed from whois but Qwest isn't as diligent because they're still being paid. I've CC'd the technical contact listed in the old whois information so maybe he can get things corrected.
If I am ISP, can I announce the same bogon prefix(172.116.0.0/24) with AS7018 announced? Will this result in prefix hijacking?
Thanks!
I can find nothing on google that offers any legitimacy for 172.116.0.0/24, but it is has been announced for 2 years so maybe there is some squatters rights at least. It doesn't appear to be a spam source and I don't think any hosts are up on it right now. Maybe it's a test route that never got removed. It makes me sad that nobody at ATT reads the CIDR report. They've only got a couple of bogon announcements so it would be trivial for them to either acknowledge them and claim legitimacy or clean them up.
On Tue, Jun 10, 2014 at 12:57 AM, Robert Drake <rdrake@direcpath.com> wrote:
<snip>
My guess is one of two things. Maybe they renumbered out of the /20 but left a VPN server up and haven't managed to migrate off it yet, but they have asked to return the block.. or, they forgot to pay their bill to ARIN and the block has been removed from whois but Qwest isn't as diligent because they're still being paid.
This brings up a good point which came to mind recently. What process(es) do folks use for cases where an address block and/or ASN seems no longer have whois info associated (eg. where authorization to use may have been revoked)? Do the RIRs have a process for notifying the community or at least the upstream providers that something has changed? Thanks for insight from the community. Tony
participants (4)
-
Christopher Morrow
-
Robert Drake
-
Song Li
-
Tony Tauber