nanog mailing list archives
Re: AS4134/AS4847 - Appear to be hijacking some ip space.
From: Christopher Morrow <morrowc.lists () gmail com>
Date: Fri, 5 Apr 2019 14:16:36 -0400
On Fri, Apr 5, 2019 at 12:29 PM Jay Borkenhagen <jayb () att com> wrote:
Hi Chris,
yes!
It would be great if the Google Fiber / AS16591 folks could publish a ROA in ARIN's hosted RPKI authorizing exactly 136.32.0.0/11 to be originated only in AS16591. That ROA would have addressed this matter from AS7018's point of view.
ok, cool. This is sort of on my plate, at least from the internal viz/evangelizing perspective, and I'll go spend time chatting up the folk in fiber-land. having a: "See, doing this would prevent this" is helpful.
In the interim, I have added a temporary whitelist (slurm) entry into our RPKI caches, causing the AS7018 network to disregard the more-specific /24s under 136.32.0.0/11.
thanks!
Good luck.
Jay B.
Christopher Morrow writes:
> Howdy gentle folks:
>
> It looks like AS4847 - "China Networks Inter-Exchange"
>
> Is taking some time to announce reachability for at least:
> 136.38.33.0/24
>
> which they ought not, given that this /24 is part of a /11 assigned to
> AS16591 (google fiber)... Looking at routeviews data, I see the
> following as-paths for this one /24:
> $ grep -A1 Refresh /tmp/x | grep 4847
> 1239 174 4134 4847
> 3549 3356 174 4134 4847
> 701 174 4134 4847
> 4901 6079 3257 4134 4847
> 20912 174 4134 4847
> 1221 4637 4134 4847
> 1351 11164 4134 4847
> 6079 1299 4134 4847
> 6079 3257 4134 4847
> 7018 4134 4847
> 6939 1299 4134 4847
> 3561 209 4134 4847
> 3303 4134 4847
> 3277 39710 9002 4134 4847
> 2497 4134 4847
> 4826 1299 4134 4847
> 54728 20130 23352 2914 4134 4847
> 19214 3257 4134 4847
> 101 101 11164 4134 4847
> 1403 6453 4134 4847
> 852 6453 4134 4847
> 1403 6453 4134 4847
> 286 4134 4847
> 3333 1273 4134 4847
> 57866 3491 4134 4847
> 3267 1299 4134 4847
> 49788 174 4134 4847
> 53767 3257 4134 4847
> 53364 3257 4134 4847
> 8283 57866 3491 4134 4847
> 7660 2516 4134 4847
>
> >From that I think the following AS should have filtered this prefix and are not:
> $ grep -A1 Refresh /tmp/x | grep 4847 | sed 's/ 4134 4847//' | awk
> '{print $NF}' | sort -n | uniq
>
> 174 - Cogent
> 209 - Qwest
> 286 - KPN
> 1273 - Vodafone
> 1299 - Telia
> 2497 - IIJ
> 2516 - KDDI
> 2914 - NTT
> 3257 - GTT
> 3303 - Swisscom
> 3491 - PCCW
> 4637 - Telstra
> 6453 - TATA
> 7018 - ATT
> 9002 - RETN
> 11164 - Internet2
>
> It'd be great if the listed folk could filter AS4134 :)
>
> -Chris
Current thread:
- AS4134/AS4847 - Appear to be hijacking some ip space. Christopher Morrow (Apr 05)
- Re: AS4134/AS4847 - Appear to be hijacking some ip space. Jay Borkenhagen (Apr 05)
- Re: AS4134/AS4847 - Appear to be hijacking some ip space. Christopher Morrow (Apr 05)
- Re: AS4134/AS4847 - Appear to be hijacking some ip space. Louie Lee via NANOG (Apr 05)
- Re: AS4134/AS4847 - Appear to be hijacking some ip space. Christopher Morrow (Apr 05)
- Re: AS4134/AS4847 - Appear to be hijacking some ip space. Pierfrancesco Caci (Apr 05)
- Re: AS4134/AS4847 - Appear to be hijacking some ip space. Christopher Morrow (Apr 06)
- Re: AS4134/AS4847 - Appear to be hijacking some ip space. Jay Borkenhagen (Apr 05)