Bogon ASN Filter Policy
Dear fellow network operators, In July 2016, NTT Communications' Global IP Network AS2914 will deploy a new routing policy to block Bogon ASNs from its view of the default-free zone. This notification is provided as a courtesy to the network community at large. After the Bogon ASN filter policy has been deployed, AS 2914 will not accept route announcements from any eBGP neighbor which contains a Bogon ASN anywhere in the AS_PATH or its atomic aggregate attribute. The reasoning behind this policy is twofold: - Private or Reserved ASNs have no place in the public DFZ. Barring these from the DFZ helps improve accountability and dampen accidental exposure of internal routing artifacts. - All AS2914 devices support 4-byte ASNs. Any occurrence of "23456" in the DFZ is a either a misconfiguration or software issue. We are undertaking this effort to improve the quality of routing data as part of the global ecosystem. This should improve the security posture and provide additional certainty [1] to those undertaking network troubleshooting. Bogon ASNs are currently defined as following: 0 # Reserved RFC7607 23456 # AS_TRANS RFC6793 64496-64511 # Reserved for use in docs and code RFC5398 64512-65534 # Reserved for Private Use RFC6996 65535 # Reserved RFC7300 65536-65551 # Reserved for use in docs and code RFC5398 65552-131071 # Reserved 4200000000-4294967294 # Reserved for Private Use RFC6996 4294967295 # Reserved RFC7300 A current overview of what are considered Bogon ASNs is maintained at NTT's Routing Policies page [2]. The IANA Autonomous System Number Registry [3] is closely tracked and the NTT Bogon ASN definitions are updated accordingly. We encourage network operators to consider deploying similar policies. Configuration examples for various platforms can be found here [4]. NTT staff is monitoring current occurrences of Bogon ASNs in the routing system and reaching out to impacted parties on a weekly basis. Kind regards, Job Contact persons: Job Snijders <job@ntt.net>, Jared Mauch <jmauch@us.ntt.net>, NTT Communications NOC <noc@ntt.net> References: [1]: https://tools.ietf.org/html/draft-thomson-postel-was-wrong-00 [2]: http://www.us.ntt.net/support/policy/routing.cfm#bogon [3]: https://www.iana.org/assignments/as-numbers/as-numbers.xhtml [4]: http://as2914.net/bogon_asns/configuration_examples.txt
I personally applaud this effort as initiatives like this that help prevent the global propagation of Bogons and other "bad things" only serves to help us all. With that said, notice went out to potentially affected GTT / AS3257 customers this week that by the end of June we too will be filtering prefixes that contain any of the Bogon ASNs listed below in the in the as-path. I highly encourage other networks to follow suit, as again it only helps us all. Thanks Job for kicking this one off, and I look forward to others to doing the same! Adam Davenport / adam.davenport@gtt.net On 6/2/16 3:41 PM, Job Snijders wrote:
Dear fellow network operators,
In July 2016, NTT Communications' Global IP Network AS2914 will deploy a new routing policy to block Bogon ASNs from its view of the default-free zone. This notification is provided as a courtesy to the network community at large.
After the Bogon ASN filter policy has been deployed, AS 2914 will not accept route announcements from any eBGP neighbor which contains a Bogon ASN anywhere in the AS_PATH or its atomic aggregate attribute.
The reasoning behind this policy is twofold:
- Private or Reserved ASNs have no place in the public DFZ. Barring these from the DFZ helps improve accountability and dampen accidental exposure of internal routing artifacts.
- All AS2914 devices support 4-byte ASNs. Any occurrence of "23456" in the DFZ is a either a misconfiguration or software issue.
We are undertaking this effort to improve the quality of routing data as part of the global ecosystem. This should improve the security posture and provide additional certainty [1] to those undertaking network troubleshooting.
Bogon ASNs are currently defined as following:
0 # Reserved RFC7607 23456 # AS_TRANS RFC6793 64496-64511 # Reserved for use in docs and code RFC5398 64512-65534 # Reserved for Private Use RFC6996 65535 # Reserved RFC7300 65536-65551 # Reserved for use in docs and code RFC5398 65552-131071 # Reserved 4200000000-4294967294 # Reserved for Private Use RFC6996 4294967295 # Reserved RFC7300
A current overview of what are considered Bogon ASNs is maintained at NTT's Routing Policies page [2]. The IANA Autonomous System Number Registry [3] is closely tracked and the NTT Bogon ASN definitions are updated accordingly.
We encourage network operators to consider deploying similar policies. Configuration examples for various platforms can be found here [4].
NTT staff is monitoring current occurrences of Bogon ASNs in the routing system and reaching out to impacted parties on a weekly basis.
Kind regards,
Job
Contact persons:
Job Snijders <job@ntt.net>, Jared Mauch <jmauch@us.ntt.net>, NTT Communications NOC <noc@ntt.net>
References: [1]: https://tools.ietf.org/html/draft-thomson-postel-was-wrong-00 [2]: http://www.us.ntt.net/support/policy/routing.cfm#bogon [3]: https://www.iana.org/assignments/as-numbers/as-numbers.xhtml [4]: http://as2914.net/bogon_asns/configuration_examples.txt
AT&T/as7018 is also now in the process of updating its as-path bogon filters to match those cited below. We have long employed such filters, and our changes at this time are primarily to extend them to prohibit as23456 and the reserved blocks > as65535. So to Job and Adam and anyone else who deploys such filters: Thanks! I would like to extend to you this laurel, and hearty handshake... On 02-June-2016, Adam Davenport writes:
I personally applaud this effort as initiatives like this that help prevent the global propagation of Bogons and other "bad things" only serves to help us all. With that said, notice went out to potentially affected GTT / AS3257 customers this week that by the end of June we too will be filtering prefixes that contain any of the Bogon ASNs listed below in the in the as-path. I highly encourage other networks to follow suit, as again it only helps us all.
Thanks Job for kicking this one off, and I look forward to others to doing the same!
Adam Davenport / adam.davenport@gtt.net
On 6/2/16 3:41 PM, Job Snijders wrote:
Dear fellow network operators,
In July 2016, NTT Communications' Global IP Network AS2914 will deploy a new routing policy to block Bogon ASNs from its view of the default-free zone. This notification is provided as a courtesy to the network community at large.
After the Bogon ASN filter policy has been deployed, AS 2914 will not accept route announcements from any eBGP neighbor which contains a Bogon ASN anywhere in the AS_PATH or its atomic aggregate attribute.
The reasoning behind this policy is twofold:
- Private or Reserved ASNs have no place in the public DFZ. Barring these from the DFZ helps improve accountability and dampen accidental exposure of internal routing artifacts.
- All AS2914 devices support 4-byte ASNs. Any occurrence of "23456" in the DFZ is a either a misconfiguration or software issue.
We are undertaking this effort to improve the quality of routing data as part of the global ecosystem. This should improve the security posture and provide additional certainty [1] to those undertaking network troubleshooting.
Bogon ASNs are currently defined as following:
0 # Reserved RFC7607 23456 # AS_TRANS RFC6793 64496-64511 # Reserved for use in docs and code RFC5398 64512-65534 # Reserved for Private Use RFC6996 65535 # Reserved RFC7300 65536-65551 # Reserved for use in docs and code RFC5398 65552-131071 # Reserved 4200000000-4294967294 # Reserved for Private Use RFC6996 4294967295 # Reserved RFC7300
A current overview of what are considered Bogon ASNs is maintained at NTT's Routing Policies page [2]. The IANA Autonomous System Number Registry [3] is closely tracked and the NTT Bogon ASN definitions are updated accordingly.
We encourage network operators to consider deploying similar policies. Configuration examples for various platforms can be found here [4].
NTT staff is monitoring current occurrences of Bogon ASNs in the routing system and reaching out to impacted parties on a weekly basis.
Kind regards,
Job
Contact persons:
Job Snijders <job@ntt.net>, Jared Mauch <jmauch@us.ntt.net>, NTT Communications NOC <noc@ntt.net>
References: [1]: https://tools.ietf.org/html/draft-thomson-postel-was-wrong-00 [2]: http://www.us.ntt.net/support/policy/routing.cfm#bogon [3]: https://www.iana.org/assignments/as-numbers/as-numbers.xhtml [4]: http://as2914.net/bogon_asns/configuration_examples.txt
On 03.06.2016 15:08, Jay Borkenhagen wrote:
AT&T/as7018 is also now in the process of updating its as-path bogon filters to match those cited below. We have long employed such filters, and our changes at this time are primarily to extend them to prohibit as23456 and the reserved blocks > as65535.
So to Job and Adam and anyone else who deploys such filters: Thanks! I would like to extend to you this laurel, and hearty handshake...
Well done, NTT, GTT, AT&T. You may want to notice that most of the IXP around the world which operate route servers since long do strict filtering. Both on ASN as well as on prefixes. So it's really nice to see, that the big ISP take care as well now. As I have learnt yesterday at ENOG11 a way more challenging issue is to cope with route leaks. Cheers and cu in chi Arnold
On 02-June-2016, Adam Davenport writes:
I personally applaud this effort as initiatives like this that help prevent the global propagation of Bogons and other "bad things" only serves to help us all. With that said, notice went out to potentially affected GTT / AS3257 customers this week that by the end of June we too will be filtering prefixes that contain any of the Bogon ASNs listed below in the in the as-path. I highly encourage other networks to follow suit, as again it only helps us all.
Thanks Job for kicking this one off, and I look forward to others to doing the same!
Adam Davenport / adam.davenport@gtt.net
On 6/2/16 3:41 PM, Job Snijders wrote:
Dear fellow network operators,
In July 2016, NTT Communications' Global IP Network AS2914 will deploy a new routing policy to block Bogon ASNs from its view of the default-free zone. This notification is provided as a courtesy to the network community at large.
After the Bogon ASN filter policy has been deployed, AS 2914 will not accept route announcements from any eBGP neighbor which contains a Bogon ASN anywhere in the AS_PATH or its atomic aggregate attribute.
The reasoning behind this policy is twofold:
- Private or Reserved ASNs have no place in the public DFZ. Barring these from the DFZ helps improve accountability and dampen accidental exposure of internal routing artifacts.
- All AS2914 devices support 4-byte ASNs. Any occurrence of "23456" in the DFZ is a either a misconfiguration or software issue.
We are undertaking this effort to improve the quality of routing data as part of the global ecosystem. This should improve the security posture and provide additional certainty [1] to those undertaking network troubleshooting.
Bogon ASNs are currently defined as following:
0 # Reserved RFC7607 23456 # AS_TRANS RFC6793 64496-64511 # Reserved for use in docs and code RFC5398 64512-65534 # Reserved for Private Use RFC6996 65535 # Reserved RFC7300 65536-65551 # Reserved for use in docs and code RFC5398 65552-131071 # Reserved 4200000000-4294967294 # Reserved for Private Use RFC6996 4294967295 # Reserved RFC7300
A current overview of what are considered Bogon ASNs is maintained at NTT's Routing Policies page [2]. The IANA Autonomous System Number Registry [3] is closely tracked and the NTT Bogon ASN definitions are updated accordingly.
We encourage network operators to consider deploying similar policies. Configuration examples for various platforms can be found here [4].
NTT staff is monitoring current occurrences of Bogon ASNs in the routing system and reaching out to impacted parties on a weekly basis.
Kind regards,
Job
Contact persons:
Job Snijders <job@ntt.net>, Jared Mauch <jmauch@us.ntt.net>, NTT Communications NOC <noc@ntt.net>
References: [1]: https://tools.ietf.org/html/draft-thomson-postel-was-wrong-00 [2]: http://www.us.ntt.net/support/policy/routing.cfm#bogon [3]: https://www.iana.org/assignments/as-numbers/as-numbers.xhtml [4]: http://as2914.net/bogon_asns/configuration_examples.txt
-- Arnold Nipper / nIPper consulting, Sandhausen, Germany email: arnold@nipper.de phone: +49 6224 5593407 2 mobile: +49 172 2650958 fax: +49 6224 5593407 9
I'm not against the theory of what is being proposed, but I was surprised to see little discussion of this announcement on list. Upon examination on my view of the DFZ from AS3128 I see over 400 upstream routes falling into this category, mostly in the 64512 - 65534 range. Based on our flow bandwidth stats we chose to reach out to several origin ASN, two fairly well known, as a courtesy. For the *TT's who are planning on implementing shortly, have you went through a similar diagnostic effort and what might you share or report on such endeavors? -Michael
-----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Arnold Nipper Sent: Wednesday, June 08, 2016 12:37 AM To: Jay Borkenhagen <jayb@att.com>; nanog@nanog.org Subject: Re: Bogon ASN Filter Policy
On 03.06.2016 15:08, Jay Borkenhagen wrote:
AT&T/as7018 is also now in the process of updating its as-path bogon filters to match those cited below. We have long employed such filters, and our changes at this time are primarily to extend them to prohibit as23456 and the reserved blocks > as65535.
So to Job and Adam and anyone else who deploys such filters: Thanks! I would like to extend to you this laurel, and hearty handshake...
Well done, NTT, GTT, AT&T. You may want to notice that most of the IXP around the world which operate route servers since long do strict filtering. Both on ASN as well as on prefixes. So it's really nice to see, that the big ISP take care as well now.
As I have learnt yesterday at ENOG11 a way more challenging issue is to cope with route leaks.
Cheers and cu in chi Arnold
On 02-June-2016, Adam Davenport writes:
I personally applaud this effort as initiatives like this that help prevent the global propagation of Bogons and other "bad things" only serves to help us all. With that said, notice went out to potentially affected GTT / AS3257 customers this week that by the end of June we too will be filtering prefixes that contain any of the Bogon ASNs listed below in the in the as-path. I highly encourage other networks to follow suit, as again it only helps us all.
Thanks Job for kicking this one off, and I look forward to others to doing the same!
Adam Davenport / adam.davenport@gtt.net
On 6/2/16 3:41 PM, Job Snijders wrote:
Dear fellow network operators,
In July 2016, NTT Communications' Global IP Network AS2914 will deploy
a
new routing policy to block Bogon ASNs from its view of the default-free zone. This notification is provided as a courtesy to the network community at large.
After the Bogon ASN filter policy has been deployed, AS 2914 will not accept route announcements from any eBGP neighbor which contains a Bogon ASN anywhere in the AS_PATH or its atomic aggregate attribute.
The reasoning behind this policy is twofold:
- Private or Reserved ASNs have no place in the public DFZ. Barring these from the DFZ helps improve accountability and dampen accidental exposure of internal routing artifacts.
- All AS2914 devices support 4-byte ASNs. Any occurrence of "23456" in the DFZ is a either a misconfiguration or software issue.
We are undertaking this effort to improve the quality of routing data as part of the global ecosystem. This should improve the security posture and provide additional certainty [1] to those undertaking network troubleshooting.
Bogon ASNs are currently defined as following:
0 # Reserved RFC7607 23456 # AS_TRANS RFC6793 64496-64511 # Reserved for use in docs and code RFC5398 64512-65534 # Reserved for Private Use RFC6996 65535 # Reserved RFC7300 65536-65551 # Reserved for use in docs and code RFC5398 65552-131071 # Reserved 4200000000-4294967294 # Reserved for Private Use RFC6996 4294967295 # Reserved RFC7300
A current overview of what are considered Bogon ASNs is maintained at NTT's Routing Policies page [2]. The IANA Autonomous System Number Registry [3] is closely tracked and the NTT Bogon ASN definitions are updated accordingly.
We encourage network operators to consider deploying similar policies. Configuration examples for various platforms can be found here [4].
NTT staff is monitoring current occurrences of Bogon ASNs in the routing system and reaching out to impacted parties on a weekly basis.
Kind regards,
Job
Contact persons:
Job Snijders <job@ntt.net>, Jared Mauch <jmauch@us.ntt.net>, NTT Communications NOC <noc@ntt.net>
References: [1]: https://tools.ietf.org/html/draft-thomson-postel-was-wrong-00 [2]: http://www.us.ntt.net/support/policy/routing.cfm#bogon [3]: https://www.iana.org/assignments/as-numbers/as-numbers.xhtml [4]: http://as2914.net/bogon_asns/configuration_examples.txt
-- Arnold Nipper / nIPper consulting, Sandhausen, Germany email: arnold@nipper.de phone: +49 6224 5593407 2 mobile: +49 172 2650958 fax: +49 6224 5593407 9
On 8/Jun/16 14:56, Michael Hare wrote:
I'm not against the theory of what is being proposed, but I was surprised to see little discussion of this announcement on list.
Upon examination on my view of the DFZ from AS3128 I see over 400 upstream routes falling into this category, mostly in the 64512 - 65534 range. Based on our flow bandwidth stats we chose to reach out to several origin ASN, two fairly well known, as a courtesy.
For the *TT's who are planning on implementing shortly, have you went through a similar diagnostic effort and what might you share or report on such endeavors?
At the very least, "remove-private-as" should be a standard step in the procedure of turning up any eBGP session. Mark.
Dear Michael, On Wed, Jun 08, 2016 at 12:56:18PM +0000, Michael Hare wrote:
Upon examination on my view of the DFZ from AS3128 I see over 400 upstream routes falling into this category, mostly in the 64512 - 65534 range. Based on our flow bandwidth stats we chose to reach out to several origin ASN, two fairly well known, as a courtesy.
For the *TT's who are planning on implementing shortly, have you went through a similar diagnostic effort and what might you share or report on such endeavors?
Below is a copy+paste from the weekly report which drives our outreach effort. We recognise two types of prefixes: "Problem prefixes" and "problems resolved by a less specific". It seems likely that the "saved by overlapping less-specific" ones are the result of accidental exposure of something that should remain internal, and the "problem prefixes" are likely to be misconfigurations or software issues. Hopefully, by the time we actually deploy the new policy, all of these have been resolved. When we started the outreach 3 weeks ago, the "problem prefixes" count was at ~ 250 prefixes, and today its just 100. --------------------------------------- Dear reader, This is an automated report to provide insight into the effects of the new Bogon ASN as-path filters NTT will deploy in July 2016. This script parses a full table RIB dump as seen from a customer perspective (kiera.meerval.net in Amsterdam) and searches which prefixes would be dropped without causing too much concern, and which prefixes might fall off the routing table. Bogon ASNs are defined as: 0, 23456, 64496-131071, 4200000000-4294967295 Problem prefixes: (100 issues) ----------------------------- 23.111.250.0/24 (path: 2914 174 15003 15003 15003 15003 15003 15003 15003 64666 ) 185.153.56.0/24 (path: 2914 174 199203 64600 ) 185.5.141.0/24 (path: 2914 174 5563 65300 5563 ) 108.57.142.0/23 (path: 2914 701 64512 ) 108.57.144.0/21 (path: 2914 701 64512 ) 108.57.152.0/21 (path: 2914 701 64512 ) 112.133.192.0/18 (path: 2914 1273 55410 24186 45851 59194 64608 ) 122.15.0.0/16 (path: 2914 1273 55410 26685 55917 65001 65002 65003 134007 134041 134304 ) 182.19.80.0/21 (path: 2914 1273 55410 58906 65001 ) 91.233.214.0/23 (path: 2914 1299 24589 23456 ) 176.103.176.0/20 (path: 2914 1299 24589 23456 ) 176.103.192.0/21 (path: 2914 1299 24589 23456 ) 208.78.104.0/21 (path: 2914 2828 13703 22626 64512 ) 103.199.88.0/22 (path: 2914 3257 9498 9730 23456 ) 188.247.64.0/19 (path: 2914 3257 48832 48832 48832 48832 48832 48832 48832 48832 48832 48832 65545 ) 111.235.148.0/22 (path: 2914 3257 9498 9730 23456 ) 103.197.240.0/22 (path: 2914 3257 9498 9730 23456 ) 103.225.224.0/22 (path: 2914 3257 9498 9730 23456 ) 137.59.8.0/22 (path: 2914 3257 9498 9730 23456 ) 80.90.160.0/20 (path: 2914 3257 48832 48832 48832 48832 48832 48832 48832 48832 48832 48832 65545 ) 192.96.139.0/24 (path: 2914 3356 11845 65610 ) 186.226.16.0/20 (path: 2914 3356 3549 16594 23456 262763 ) 194.169.32.0/20 (path: 2914 4589 8190 4200000246 ) 2001:df0:458::/48 (path: 2914 4755 18229 64701 65502 65309 ) 103.57.64.0/22 (path: 2914 4755 133987 65350 ) 162.247.245.0/24 (path: 2914 6327 55117 64512 ) 185.103.109.0/24 (path: 2914 6461 43350 23456 ) 31.220.112.0/21 (path: 2914 6663 31317 65528 ) 200.0.209.0/24 (path: 2914 6762 7303 262195 23456 7005 7005 7005 ) 200.0.210.0/24 (path: 2914 6762 7303 262195 23456 7005 7005 7005 ) 200.0.211.0/24 (path: 2914 6762 7303 262195 23456 7005 7005 7005 ) 200.59.127.0/24 (path: 2914 6762 7303 262195 23456 262195 262195 10617 ) 200.59.120.0/24 (path: 2914 6762 7303 262195 23456 262195 262195 10617 ) 200.59.121.0/24 (path: 2914 6762 7303 262195 23456 262195 262195 10617 ) 190.13.94.0/24 (path: 2914 6762 7303 262195 23456 52351 ) 2a07:33c0::/29 (path: 2914 6830 12676 54431 65100 ) 192.108.127.0/24 (path: 2914 7029 393543 65001 ) 70.40.139.0/24 (path: 2914 7029 19397 64712 ) 93.95.176.0/24 (path: 2914 8928 15924 65411 ) 79.170.168.0/24 (path: 2914 8928 15924 65411 ) 213.252.251.0/24 (path: 2914 9002 9002 9002 9002 9002 42979 201201 199527 65529 199527 199527 ) 2a03:7380:4000::/42 (path: 2914 9002 13188 64604 ) 2a03:7380:4040::/42 (path: 2914 9002 13188 64604 ) 185.91.236.0/23 (path: 2914 9009 9009 9009 65052 ) 93.113.208.0/22 (path: 2914 9009 6910 65002 ) 91.102.64.0/21 (path: 2914 9009 9009 9009 65433 ) 103.16.229.0/24 (path: 2914 9304 133398 64513 ) 103.195.55.0/24 (path: 2914 9498 58601 24323 65005 64058 ) 103.57.151.0/24 (path: 2914 9498 58717 58736 58599 65534 38026 63984 ) 188.65.30.0/24 (path: 2914 9498 8529 8529 8529 8529 8529 8529 8529 8529 28885 65535 15679 15679 ) 188.65.31.0/24 (path: 2914 9498 8529 8529 8529 8529 8529 8529 8529 8529 28885 65535 15679 15679 ) 188.65.26.0/24 (path: 2914 9498 8529 8529 8529 8529 8529 8529 8529 8529 28885 65535 15679 15679 15679 15679 15679 15679 15679 ) 188.65.27.0/24 (path: 2914 9498 8529 8529 8529 8529 8529 8529 8529 8529 28885 65535 15679 15679 15679 15679 15679 15679 15679 ) 188.65.24.0/24 (path: 2914 9498 8529 8529 8529 8529 8529 8529 8529 8529 28885 65535 15679 15679 ) 188.65.25.0/24 (path: 2914 9498 8529 8529 8529 8529 8529 8529 8529 8529 28885 65535 15679 15679 ) 2400:5200:1400::/40 (path: 2914 9498 55410 38266 65001 65010 ) 210.24.216.0/24 (path: 2914 10026 4628 9255 65010 ) 210.24.218.0/24 (path: 2914 10026 4628 9255 65010 ) 210.24.219.0/24 (path: 2914 10026 4628 9255 65010 ) 210.24.212.0/24 (path: 2914 10026 4628 9255 65010 ) 210.24.214.0/24 (path: 2914 10026 4628 9255 65010 ) 210.24.210.0/24 (path: 2914 10026 4628 9255 65010 ) 210.24.208.0/24 (path: 2914 10026 4628 9255 65010 ) 210.24.209.0/24 (path: 2914 10026 4628 9255 65010 ) 142.148.224.0/24 (path: 2914 12179 14630 64512 ) 142.148.225.0/24 (path: 2914 12179 14630 64512 ) 2a02:4680:f::/48 (path: 2914 12389 42608 65500 65501 ) 195.135.240.0/22 (path: 2914 12389 21453 49893 50802 65001 ) 46.229.74.0/23 (path: 2914 12389 25549 65526 ) 46.151.104.0/21 (path: 2914 12389 21453 49893 50802 65001 ) 192.150.214.0/23 (path: 2914 13768 65013 ) 208.86.242.0/24 (path: 2914 14265 46926 65001 46926 46926 46926 46926 46926 46926 ) 192.16.2.0/24 (path: 2914 15133 65405 ) 192.16.3.0/24 (path: 2914 15133 65405 ) 194.69.42.0/24 (path: 2914 15830 65501 21160 21160 ) 91.208.64.0/24 (path: 2914 20485 198816 65005 47593 ) 199.7.166.0/24 (path: 2914 22626 64512 ) 199.7.167.0/24 (path: 2914 22626 64512 ) 208.83.6.0/23 (path: 2914 22626 64512 ) 2620:be:8000::/48 (path: 2914 22773 64514 ) 2602:ff61::/48 (path: 2914 22773 65005 ) 130.0.231.0/24 (path: 2914 23352 39470 18919 65156 ) 143.41.0.0/21 (path: 2914 25180 4200000368 ) 143.41.8.0/21 (path: 2914 25180 4200000501 ) 185.129.208.0/24 (path: 2914 25180 4200000382 ) 185.129.209.0/24 (path: 2914 25180 4200000382 ) 185.52.36.0/22 (path: 2914 25180 4200000090 ) 176.122.192.0/23 (path: 2914 25180 4200000402 ) 139.143.0.0/16 (path: 2914 25180 4200000318 ) 195.95.131.0/24 (path: 2914 25180 4200000365 ) 82.139.64.0/18 (path: 2914 41887 41887 65031 ) 185.117.10.0/24 (path: 2914 44217 65500 ) 185.117.11.0/24 (path: 2914 44217 65500 ) 185.117.8.0/24 (path: 2914 44217 65500 ) 185.117.9.0/24 (path: 2914 44217 65500 ) 91.234.228.0/24 (path: 2914 47872 20771 16010 65009 198874 ) 119.235.130.0/24 (path: 2914 63928 24427 64928 ) 119.235.131.0/24 (path: 2914 63928 24427 64928 ) 119.235.128.0/24 (path: 2914 63928 24427 64928 ) 119.235.129.0/24 (path: 2914 63928 24427 64928 ) resolved by virtue of existing overlapping prefix: -------------------------------------------------- 116.50.64.0/18 (path: 2914 3257 9498 38529 ) contains: 116.50.78.0/23 (path: 2914 9498 38529 64520 ) 116.50.90.0/24 (path: 2914 4755 38529 64520 ) 116.50.80.0/24 (path: 2914 9498 38529 64520 ) 116.50.85.0/24 (path: 2914 9498 38529 64520 ) 123.30.64.0/20 (path: 2914 58453 45899 7643 ) contains: 123.30.74.0/24 (path: 2914 58453 45899 45899 65512 ) 123.30.75.0/24 (path: 2914 58453 45899 45899 65512 ) 124.92.0.0/14 (path: 2914 4837 4837 ) contains: 124.93.212.0/23 (path: 2914 4837 65501 ) 124.93.214.0/23 (path: 2914 4837 65501 ) 135.84.176.0/22 (path: 2914 13768 54527 ) contains: 135.84.177.0/24 (path: 2914 6327 54527 63213 65002 ) 152.176.0.0/12 (path: 2914 701 ) contains: 152.178.135.0/24 (path: 2914 701 64512 ) 154.72.52.0/23 (path: 2914 174 327797 ) contains: 154.72.52.0/24 (path: 2914 174 327797 65502 ) 157.254.228.0/22 (path: 2914 174 7332 11648 ) contains: 157.254.229.0/24 (path: 2914 4755 65805 ) 167.219.60.0/23 (path: 2914 703 30337 30337 30337 30337 30337 30337 30337 30337 30337 30337 30337 ) contains: 167.219.60.0/24 (path: 2914 4755 30337 65001 ) 173.231.64.0/19 (path: 2914 174 26801 19159 ) contains: 173.231.76.0/24 (path: 2914 174 26801 19159 19159 64573 ) 174.35.0.0/17 (path: 2914 3257 36408 ) contains: 174.35.0.0/24 (path: 2914 14265 65204 ) 178.60.192.0/18 (path: 2914 174 12334 ) contains: 178.60.197.0/24 (path: 2914 174 12334 199949 64555 ) 185.66.84.0/22 (path: 2914 9002 9049 201706 ) contains: 185.66.86.0/24 (path: 2914 9002 9049 201706 65555 ) 188.247.64.0/19 (path: 2914 3257 48832 48832 48832 48832 48832 48832 48832 48832 48832 48832 65545 ) contains: 188.247.72.0/21 (path: 2914 3257 48832 48832 48832 48832 48832 48832 48832 48832 48832 48832 65545 ) 188.65.28.0/23 (path: 2914 9498 8529 8529 8529 8529 8529 8529 8529 8529 28885 ) contains: 188.65.28.0/24 (path: 2914 9498 8529 8529 8529 8529 8529 8529 8529 8529 28885 65535 15679 15679 ) 188.65.29.0/24 (path: 2914 9498 8529 8529 8529 8529 8529 8529 8529 8529 28885 65535 15679 15679 ) 190.131.192.0/18 (path: 2914 23520 ) contains: 190.131.193.0/24 (path: 2914 23520 262191 65499 ) 190.131.198.0/24 (path: 2914 23520 262191 65475 ) 190.68.128.0/19 (path: 2914 12956 3816 ) contains: 190.68.130.0/24 (path: 2914 12956 3816 3816 3816 3816 3816 65329 3816 ) 194.204.192.0/18 (path: 2914 12956 6713 ) contains: 194.204.217.0/24 (path: 2914 174 6713 6713 6713 6713 6713 6713 6713 36956 65375 ) 194.70.0.0/16 (path: 2914 1273 2529 ) contains: 194.70.246.0/24 (path: 2914 1273 65539 ) 195.135.240.0/22 (path: 2914 12389 21453 49893 50802 65001 ) contains: 195.135.240.0/23 (path: 2914 12389 21453 49893 50802 65001 ) 195.135.242.0/23 (path: 2914 12389 21453 49893 50802 65001 ) 195.46.128.0/19 (path: 2914 8928 15924 ) contains: 195.46.147.0/24 (path: 2914 8928 15924 65121 ) 195.87.0.0/16 (path: 2914 8928 15924 8386 ) contains: 195.87.13.0/24 (path: 2914 8928 15924 8386 65412 ) 195.87.42.0/24 (path: 2914 8928 15924 64512 ) 199.204.224.0/22 (path: 2914 3356 4323 40059 ) contains: 199.204.224.0/24 (path: 2914 2828 6181 40059 65433 ) 199.45.32.0/19 (path: 2914 701 ) contains: 199.45.53.0/24 (path: 2914 701 65403 ) 199.45.54.0/24 (path: 2914 701 65403 ) 2001:578::/30 (path: 2914 22773 ) contains: 2001:57a:eff1::/48 (path: 2914 22773 64517 ) 204.76.144.0/21 (path: 2914 2828 6128 63254 ) contains: 204.76.148.0/22 (path: 2914 174 46887 63254 64512 ) 205.177.0.0/16 (path: 2914 3491 ) contains: 205.177.67.0/24 (path: 2914 3491 65536 ) 205.177.68.0/24 (path: 2914 3491 65536 ) 206.154.0.0/19 (path: 2914 209 17402 ) contains: 206.154.0.0/20 (path: 2914 209 4200000006 ) 207.245.64.0/18 (path: 2914 3491 6372 ) contains: 207.245.119.0/24 (path: 2914 2828 6372 65006 ) 207.250.0.0/16 (path: 2914 3356 4323 ) contains: 207.250.99.0/24 (path: 2914 17054 13492 64600 ) 208.78.104.0/21 (path: 2914 2828 13703 22626 64512 ) contains: 208.78.111.0/24 (path: 2914 22626 64512 ) 208.97.0.0/19 (path: 2914 174 31877 ) contains: 208.97.12.0/22 (path: 2914 40111 40111 65003 ) 208.97.19.0/24 (path: 2914 174 31877 65004 ) 212.139.0.0/16 (path: 2914 13285 13285 13285 13285 13285 13285 13285 9105 ) contains: 212.139.133.0/24 (path: 2914 6453 13285 65160 ) 212.15.0.0/19 (path: 2914 8928 15924 ) contains: 212.15.5.0/24 (path: 2914 8928 15924 65077 ) 212.154.128.0/17 (path: 2914 12389 9198 50482 ) contains: 212.154.167.0/24 (path: 2914 12389 9198 50482 64605 ) 212.154.205.0/24 (path: 2914 12389 9198 50482 64605 ) 212.26.224.0/19 (path: 2914 12389 12730 ) contains: 212.26.238.0/24 (path: 2914 12389 12730 65001 ) 213.160.128.0/19 (path: 2914 702 3252 12963 ) contains: 213.160.148.0/24 (path: 2914 702 3252 12963 64564 ) 213.52.192.0/18 (path: 2914 15830 ) contains: 213.52.252.0/22 (path: 2914 15830 65501 39882 ) 217.20.32.0/20 (path: 2914 15830 ) contains: 217.20.41.0/24 (path: 2914 15830 65501 39882 ) 221.200.0.0/14 (path: 2914 4837 4837 ) contains: 221.203.248.0/22 (path: 2914 4837 64920 ) 221.203.252.0/22 (path: 2914 4837 64920 ) 221.203.244.0/23 (path: 2914 4837 64920 ) 221.203.246.0/23 (path: 2914 4837 64920 ) 27.248.0.0/14 (path: 2914 9498 10201 10201 10201 10201 10201 10201 ) contains: 27.248.64.0/18 (path: 2914 9498 10201 65500 ) 27.248.128.0/19 (path: 2914 9498 10201 65500 ) 27.248.96.0/19 (path: 2914 9498 10201 65500 ) 37.1.240.0/20 (path: 2914 6461 8218 48072 ) contains: 37.1.241.0/24 (path: 2914 1299 29075 48072 31167 65623 ) 37.1.250.0/23 (path: 2914 6461 8218 48072 48072 65623 31167 ) 37.142.0.0/16 (path: 2914 174 12849 ) contains: 37.142.0.0/17 (path: 2914 174 12849 12849 21450 65024 65500 ) 37.235.32.0/21 (path: 2914 8928 12715 43160 ) contains: 37.235.36.0/24 (path: 2914 174 43160 65501 ) 37.26.104.0/21 (path: 2914 39326 52148 ) contains: 37.26.105.0/24 (path: 2914 34555 64522 ) 38.0.0.0/8 (path: 2914 174 ) contains: 38.88.85.0/24 (path: 2914 174 393544 64532 ) 41.89.0.0/16 (path: 2914 30844 36914 ) contains: 41.89.7.0/24 (path: 2914 6762 37219 36866 36866 36866 65412 ) 46.151.104.0/21 (path: 2914 12389 21453 49893 50802 65001 ) contains: 46.151.104.0/22 (path: 2914 12389 21453 49893 50802 65001 ) 46.151.108.0/22 (path: 2914 12389 21453 49893 50802 65001 ) 60.16.0.0/13 (path: 2914 4837 4837 ) contains: 60.23.240.0/21 (path: 2914 4837 64920 ) 60.23.248.0/21 (path: 2914 4837 64920 ) 60.23.248.0/24 (path: 2914 4837 65501 ) 60.23.249.0/24 (path: 2914 4837 65501 ) 60.23.246.0/24 (path: 2914 4837 65501 ) 60.23.247.0/24 (path: 2914 4837 65501 ) 64.27.240.0/20 (path: 2914 209 16931 ) contains: 64.27.253.0/24 (path: 2914 1273 65538 ) 64.72.224.0/19 (path: 2914 6327 6407 6407 ) contains: 64.72.224.0/24 (path: 2914 812 812 812 4264800033 ) 64.72.226.0/24 (path: 2914 812 812 812 4264800033 ) 64.72.227.0/24 (path: 2914 812 812 812 4264800033 ) 64.83.64.0/20 (path: 2914 7029 ) contains: 64.83.78.0/24 (path: 2914 7029 1785 65233 ) 66.110.192.0/19 (path: 2914 174 31877 ) contains: 66.110.220.0/24 (path: 2914 40111 40111 65003 ) 66.110.218.0/24 (path: 2914 40111 40111 65003 ) 66.110.219.0/24 (path: 2914 40111 40111 65003 ) 66.134.0.0/16 (path: 2914 2828 18566 ) contains: 66.134.62.0/24 (path: 2914 2828 18566 65505 ) 66.134.72.0/24 (path: 2914 2828 18566 65505 ) 66.134.75.0/24 (path: 2914 2828 18566 65505 ) 66.194.0.0/16 (path: 2914 3356 4323 ) contains: 66.194.233.0/24 (path: 2914 174 36188 65009 ) 67.100.0.0/14 (path: 2914 2828 18566 ) contains: 67.103.100.0/23 (path: 2914 2828 18566 65505 ) 67.100.42.0/24 (path: 2914 2828 18566 65515 ) 67.206.64.0/19 (path: 2914 2828 16399 26895 ) contains: 67.206.84.0/24 (path: 2914 2828 16399 26895 64533 64533 64533 64533 64533 64533 64533 ) 69.10.192.0/19 (path: 2914 11404 18530 18530 30170 20394 ) contains: 69.10.192.0/20 (path: 2914 20394 65503 65530 ) 69.166.128.0/19 (path: 2914 7029 7349 ) contains: 69.166.142.0/24 (path: 2914 7029 7349 64900 ) 70.128.0.0/12 (path: 2914 7018 ) contains: 70.134.46.0/24 (path: 2914 14265 46926 65001 46926 46926 46926 46926 46926 46926 46926 46926 ) 71.252.0.0/17 (path: 2914 701 ) contains: 71.252.67.0/24 (path: 2914 701 64512 ) 72.15.144.0/20 (path: 2914 812 812 812 ) contains: 72.15.149.0/24 (path: 2914 6461 15290 19835 812 812 812 812 4264800030 ) 74.213.144.0/20 (path: 2914 7029 7349 ) contains: 74.213.146.0/24 (path: 2914 7029 7349 64900 ) 79.139.72.0/21 (path: 2914 174 24709 29232 ) contains: 79.139.76.0/24 (path: 2914 174 24709 29232 65007 ) 79.139.77.0/24 (path: 2914 174 24709 29232 65008 ) 79.172.0.0/18 (path: 2914 174 5563 ) contains: 79.172.48.0/24 (path: 2914 9002 5563 65300 5563 ) 79.172.7.0/24 (path: 2914 9002 5563 65300 5563 ) 79.172.16.0/21 (path: 2914 9002 5563 65300 5563 ) 8.0.0.0/8 (path: 2914 3356 ) contains: 8.41.195.0/24 (path: 2914 13789 13789 13789 13789 30372 65603 ) 80.90.160.0/20 (path: 2914 3257 48832 48832 48832 48832 48832 48832 48832 48832 48832 48832 65545 ) contains: 80.90.160.0/21 (path: 2914 3257 48832 48832 48832 48832 48832 48832 48832 48832 48832 48832 65545 ) 82.113.96.0/19 (path: 2914 6805 39706 ) contains: 82.113.112.0/23 (path: 2914 6805 39706 65002 ) 82.113.124.0/22 (path: 2914 6805 39706 65004 ) 84.44.0.0/17 (path: 2914 8928 15924 ) contains: 84.44.37.0/24 (path: 2914 8928 15924 65121 ) 86.51.0.0/16 (path: 2914 3257 48237 35819 ) contains: 86.51.177.0/24 (path: 2914 3356 48237 35819 65557 ) 91.229.96.0/22 (path: 2914 12389 25549 56957 56957 56957 56957 56957 ) contains: 91.229.99.0/24 (path: 2914 12389 25549 56957 56957 56957 56957 56957 65157 ) 91.230.232.0/24 (path: 2914 31313 48338 ) contains: 91.230.232.128/27 (path: 2914 31313 48338 65534 ) 92.240.218.0/23 (path: 2914 9002 39735 ) contains: 92.240.218.0/24 (path: 2914 9002 39735 65001 ) 92.240.219.0/24 (path: 2914 9002 39735 65001 ) 92.245.128.0/19 (path: 2914 6461 8218 48072 ) contains: 92.245.153.0/24 (path: 2914 1299 29075 48072 48072 65623 31167 ) 92.245.154.0/23 (path: 2914 1299 29075 48072 48072 65623 31167 ) 92.245.146.0/24 (path: 2914 174 48072 31167 65623 ) 92.245.148.0/24 (path: 2914 174 48072 31167 65623 ) 92.245.141.0/24 (path: 2914 1299 29075 48072 48072 65623 31167 ) 92.245.128.0/24 (path: 2914 174 48072 31167 65623 ) 92.245.134.0/24 (path: 2914 6461 8218 48072 48072 65623 31167 ) 92.245.135.0/24 (path: 2914 6461 8218 48072 48072 65623 31167 ) 93.170.0.0/15 (path: 2914 3257 50245 44546 ) contains: 93.171.227.0/24 (path: 2914 12389 34205 34205 65001 61014 ) 94.103.16.0/20 (path: 2914 47886 ) contains: 94.103.25.0/24 (path: 2914 174 36180 64842 ) 94.247.224.0/21 (path: 2914 702 3252 12963 ) contains: 94.247.231.0/24 (path: 2914 702 3252 12963 64564 )
Hi all, a quick update from the DE-CIX side: we see in total 25 routes containing bogon ASNs at all the route servers at all DE-CIX IXPs (so far we just filtered the private ASN space). We directly contacted the customers sending the routes to inform them about the upcoming change in filtering. Best regards, Thomas
On 08 Jun 2016, at 15:56, Michael Hare <michael.hare@wisc.edu> wrote:
I'm not against the theory of what is being proposed, but I was surprised to see little discussion of this announcement on list.
Upon examination on my view of the DFZ from AS3128 I see over 400 upstream routes falling into this category, mostly in the 64512 - 65534 range. Based on our flow bandwidth stats we chose to reach out to several origin ASN, two fairly well known, as a courtesy.
For the *TT's who are planning on implementing shortly, have you went through a similar diagnostic effort and what might you share or report on such endeavors?
-Michael
participants (8)
-
Adam Davenport -
Arnold Nipper -
Jay Borkenhagen -
Job Snijders -
Job Snijders -
Mark Tinka -
Michael Hare -
Thomas King