AT&T carrying rfc1918 on the as7018 backbone?
First, yes I know I should call AT&T but I want to know if anyone else sees this problem: I have a customer that is multi-homed to AT&T and WCOM. They accept "default" via BGP from both providers and announce a handful of prefixes to both providers. Given that they receive default, it's just the same as if they had a *static* default to both providers. The customer installed a "network mapping tool" today and suddenly discovered they were seeing RFC1918 addresses in the map (hundreds of them) that were *not* part of the customer's internal network. It turns out that from what we can tell, insightbb.com (an AT&T sub or customer) is probably unintentionally leaking 10/8 and AT&T is propogating that across their network. Since the customer defaults for any "unknown" destination, they're crossing the AT&T network. If my customer had been taking full routing, with appropriate filters of course, they wouldn't be seeing this. But given that they are taking default, they see it. So I just wanted to see if anyone that is defaulting to AT&T is seeing this same problem just to verify that what we're seeing is correct (for my customer's edification). Yes, I'm calling AT&T now :) -b
On Thu, 22 Jan 2004, Brett Watson wrote:
First, yes I know I should call AT&T but I want to know if anyone else sees this problem:
I have a customer that is multi-homed to AT&T and WCOM. They accept "default" via BGP from both providers and announce a handful of prefixes to both providers.
Given that they receive default, it's just the same as if they had a *static* default to both providers.
The customer installed a "network mapping tool" today and suddenly discovered they were seeing RFC1918 addresses in the map (hundreds of them) that were *not* part of the customer's internal network. It turns out that from what we can tell, insightbb.com (an AT&T sub or customer) is probably unintentionally leaking 10/8 and AT&T is propogating that across their network. Since the customer defaults for any "unknown" destination, they're crossing the AT&T network.
If my customer had been taking full routing, with appropriate filters of course, they wouldn't be seeing this. But given that they are taking default, they see it.
So I just wanted to see if anyone that is defaulting to AT&T is seeing this same problem just to verify that what we're seeing is correct (for my customer's edification). Yes, I'm calling AT&T now :)
Yep, they are sending 10.X.X.X routes to customers. From several places actually, Level3, Comcast (multiple AS's), AT&T, MediaOne, and AccessPoint. bye, ken emery
The router at route-server.ip.att.net shows about 25 10.0.0.0/8 prefixes, most showing up over 4 weeks ago. --- ken emery <ken@cnet.com> wrote:
On Thu, 22 Jan 2004, Brett Watson wrote:
So I just wanted to see if anyone that is defaulting to AT&T is seeing this same problem just to verify that what we're seeing is correct (for my customer's edification). Yes, I'm calling AT&T now :)
Yep, they are sending 10.X.X.X routes to customers. From several places actually, Level3, Comcast (multiple AS's), AT&T, MediaOne, and AccessPoint.
Once upon a time, Stephen Fisher <stephentfisher@yahoo.com> said:
The router at route-server.ip.att.net shows about 25 10.0.0.0/8 prefixes, most showing up over 4 weeks ago.
They do not appear to be announcing those routes to customers however (at least not this customer), but setting a static route pointing at our AT&T link does show that they will route 10.0.0.0/8 traffic (at least a few random IPs I tried). -- Chris Adams <cmadams@hiwaay.net> Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble.
On Jan 22, 2004, at 5:53 PM, Brett Watson wrote:
The router at route-server.ip.att.net shows about 25 10.0.0.0/8 prefixes, most showing up over 4 weeks ago.
Odd. I didn't see this when looking at at&t's looking glass via web browser. I was looking for some smaller prefixes though and didn't just look for 10/8 :-/
show ip bgp 10.0.0.0/8 longer-prefixes is your friend in this case.
-b
-- Matt Levine <matt@deliver3.com> @Work: http://www.cachenetworks.com/ GPG Key: 0xC581FB64 "The Trouble with doing anything right the first time is that nobody appreciates how difficult it was." -BIX
On Thu, 22 Jan 2004, Brett Watson wrote:
The router at route-server.ip.att.net shows about 25 10.0.0.0/8 prefixes, most showing up over 4 weeks ago.
Odd. I didn't see this when looking at at&t's looking glass via web browser. I was looking for some smaller prefixes though and didn't just look for 10/8 :-/
Btw, I was wrong in saying Level3 was one of the sources. They are announcing 8/8 which was just above the 10.X announcements. I was off by a line. Sorry if this caused any confusion. Btw, the announcements we are seeing are sized from /12 to /24. bye, ken emery
On Thu, Jan 22, 2004 at 03:21:01PM -0700, Brett Watson wrote:
First, yes I know I should call AT&T but I want to know if anyone else sees this problem:
[snip] [random destinations chosen, first few hops removed on purpose] traceroute to 10.150.5.1 (10.150.5.1), 30 hops max, 38 byte packets 4 bic04-p2-0.rosehe1.mn.attbb.net (24.31.2.46) 9.621 ms 12.405 ms 8.635 ms 5 12.118.239.77 (12.118.239.77) 21.055 ms 22.684 ms 17.674 ms 6 tbr1-p012301.cgcil.ip.att.net (12.123.6.9) 21.249 ms 18.653 ms 32.055 ms 7 tbr1-cl1.sffca.ip.att.net (12.122.10.6) 60.504 ms 65.109 ms 63.290 ms 8 gbr1-p10.sffca.ip.att.net (12.122.11.66) 60.401 ms 62.929 ms 59.776 ms 9 gar1-p360.sffca.ip.att.net (12.123.13.57) 60.556 ms 60.769 ms 63.278 ms 10 12.126.195.122 (12.126.195.122) 62.064 ms 60.966 ms 64.617 ms 11 12.244.67.25 (12.244.67.25) 75.027 ms 68.277 ms 66.029 ms 12 12.244.67.21 (12.244.67.21) 66.410 ms 67.539 ms 67.902 ms 13 12.244.98.215 (12.244.98.215) 68.285 ms 69.883 ms 83.187 ms 14 10.150.5.1 (10.150.5.1) 72.288 ms 72.797 ms 70.952 ms traceroute to 10.240.0.1 (10.240.0.1), 30 hops max, 38 byte packets 4 bic04-p2-0.rosehe1.mn.attbb.net (24.31.2.46) 12.024 ms 9.476 ms 9.918 ms 5 12.118.239.77 (12.118.239.77) 30.056 ms 20.397 ms 17.087 ms 6 tbr2-p012301.cgcil.ip.att.net (12.123.6.13) 19.700 ms 36.509 ms 20.223 ms 7 tbr2-cl7.sl9mo.ip.att.net (12.122.10.46) 27.903 ms 37.704 ms 24.727 ms 8 tbr2-cl6.dlstx.ip.att.net (12.122.10.90) 39.469 ms 39.656 ms 39.857 ms 9 tbr1-p013601.dlstx.ip.att.net (12.122.9.161) 39.150 ms 41.235 ms 38.007 ms 10 tbr2-cl1.attga.ip.att.net (12.122.2.90) 59.744 ms 58.258 ms 58.824 ms 11 gbr2-p20.attga.ip.att.net (12.122.12.38) 56.180 ms 62.450 ms 55.442 ms 12 gar1-p370.attga.ip.att.net (12.123.21.5) 74.746 ms 59.692 ms 57.531 ms 13 12.244.72.90 (12.244.72.90) 60.589 ms 62.514 ms 60.926 ms 14 c-66-56-66-73.atl.client2.attbi.com (66.56.66.73) 57.664 ms ATTBB (Now Comcast) uses ATT.net for connectivity, Comcast has to reach all their cable modems across the USA from their outsourced tech support centers, thus, att.net routes 10/8 across their network. -- Matthew S. Hallacy FUBAR, LART, BOFH Certified http://www.poptix.net GPG public key 0x01938203
On Thu, 22 Jan 2004, Matthew S. Hallacy wrote: <snip>
ATTBB (Now Comcast) uses ATT.net for connectivity, Comcast has to reach all their cable modems across the USA from their outsourced tech support centers, thus, att.net routes 10/8 across their network.
Okay, that's fine. However why are there routes from Level3? Also I'm not Comcast so why am I seeing the routes? Also if Comcast needs this they should be paying for a tunnel over AT&T network (like the rest of us would have to do). bye, ken emery
On Thu, 22 Jan 2004, Brett Watson wrote:
The customer installed a "network mapping tool" today and suddenly discovered they were seeing RFC1918 addresses in the map (hundreds of them) that were *not* part of the customer's internal network. It turns out that from what we can tell, insightbb.com (an AT&T sub or customer) is probably unintentionally leaking 10/8 and AT&T is propogating that across their network. Since the customer defaults for any "unknown" destination, they're crossing the AT&T network.
RFC1918 addresses are unpredictable on any network other than your own. You shouldn't make assumptions about them. Anyone may use them for any purpose on their network. If you send packets into their network using RFC1918 addresses, you get whatever you get. If you require certaintity its up to you to impose your policy at your edge. Does sending packets to RFC1918 addresses on other networks meet the "be conservative in what you send" credo?
RFC1918 addresses are unpredictable on any network other than your own. You shouldn't make assumptions about them. Anyone may use them for any purpose on their network. If you send packets into their network using RFC1918 addresses, you get whatever you get. If you require certaintity its up to you to impose your policy at your edge.
Does sending packets to RFC1918 addresses on other networks meet the "be conservative in what you send" credo?
I understand all that. We're working with the customer to harden the border (ACLs) and possibly take a bogon feed, etc. I was just having a hard time believing AT&T was leaking 10/8 and that any other large provider was accepting it so wanted to verify. -b
On Thu, 22 Jan 2004, Brett Watson wrote:
I was just having a hard time believing AT&T was leaking 10/8 and that any other large provider was accepting it so wanted to verify.
Wasn't it established that they did infact not leak it but just routed it inside their own network? //tlund
On Fri, 23 Jan 2004, Tomas Lund wrote:
On Thu, 22 Jan 2004, Brett Watson wrote:
I was just having a hard time believing AT&T was leaking 10/8 and that any other large provider was accepting it so wanted to verify.
Wasn't it established that they did infact not leak it but just routed it inside their own network?
This is not true. I am attached to 7018 and we saw 10/X routes. We are not AT&T. bye, ken emery
participants (8)
-
Brett Watson
-
Chris Adams
-
ken emery
-
Matt Levine
-
Matthew S. Hallacy
-
Sean Donelan
-
Stephen Fisher
-
Tomas Lund