Re: BCP38.info

[Jared Mauch <jared () puck nether net>]

On Jan 28, 2014, at 2:46 PM, David Miller <dmiller () tiggee com> wrote:

> On 1/28/2014 2:16 PM, Jared Mauch wrote:
> > On Jan 28, 2014, at 1:50 PM, Valdis.Kletnieks () vt edu wrote:
> >
> > > On Tue, 28 Jan 2014 08:06:31 -0500, Jared Mauch said:
> > >
> > > > 52731 ASN7922
> > >
> > > > It includes IP address where you send a DNS packet to it and another IP address responds to the query, e.g.:
> > >
> > > > The data only includes those where the “source-ASN” and “dest-asn” of these packets don’t match.
> > >
> > > Hang on Jared, I'm trying to wrap my head around this.  You're saying that
> > > AS7922 has over 50K IP addresses which, if you send a DNS query to that IP,
> > > you get an answer back from *an entirely different ASN*? How the heck does
> > > *that* happen?
> >
> > Yup.
>
> Jared,
>
> What you detected is a misconfiguration of devices on those networks,
> but that misconfiguration (in and of itself) is not necessarily what is
> commonly referred to as "IP spoofing" in the context of BCP38.
>
> You have *not* "shown" that these ASNs "allow IP spoofing".  You have
> collected one data point that indicates the mere possibility that these
> ASNs allow IP spoofing.
>
> In the example that you provided, you sent a DNS query to a Pacenet
> (India) IP and received a response from a Vodafone (India) IP address.
> The IP from which you received the invalid response is an open resolver
> (bad thing).  It is completely plausible that whatever device is being
> queried has interfaces on both networks.
>
> To have "shown" that this ASN "allows IP spoofing" you must have
> demonstrated that this response packet, sourced from a Vodafone IP,
> entered the "Internet" from a Pacenet router interface.  Unless I am
> missing something here, you haven't come close to showing that.

No, i've shown that I send a packet to an IP address and It forwards a packet with *my* source address to a 3rd IP 
address (the configured DNS server).

That DNS server is what responds to me.

The 101.0.37.11 IP is allowed to spoof my IP address.

Feel free to look at the other 261k lines in that file and let me know where I'm wrong.  These are only the ones where 
the Cymru IP <-> ASN mapping service shows them in a *different* ASN, I have many others of these.  Go ahead and search 
for 8.8.8.8 or 4.2.2.1 and similar at the website and look at these.  You may find one in your network.

If you compare this to the MIT spoofer project, they had ~18k samples from opt-in.  This here could (in theory) be a 
larger dataset and generated by this indirect measurement.  Since I have about a years of this data and have worked 
with others on researching some of these broken CPE behaviors with ISPs, the CPE vendors and others, I'm fairly 
confident in these results.

Happy to continue the discussion here either on-list or off-list and in private with any networks trying to understand 
what is happening.

I would love to hear from CPE vendors as well, but I've been doing a lot of other stuff so this isn't my primary focus.

- Jared