nanog mailing list archives
Re: BCP38.info
From: Stephen Frost <sfrost () snowman net>
Date: Tue, 28 Jan 2014 14:56:15 -0500
David, * David Miller (dmiller () tiggee com) wrote:
On Jan 28, 2014, at 1:50 PM, Valdis.Kletnieks () vt edu wrote:Hang on Jared, I'm trying to wrap my head around this. You're saying that AS7922 has over 50K IP addresses which, if you send a DNS query to that IP, you get an answer back from *an entirely different ASN*? How the heck does *that* happen?Yup.What you detected is a misconfiguration of devices on those networks, but that misconfiguration (in and of itself) is not necessarily what is commonly referred to as "IP spoofing" in the context of BCP38. You have *not* "shown" that these ASNs "allow IP spoofing". You have collected one data point that indicates the mere possibility that these ASNs allow IP spoofing.
Sounds like he's got about 50k such data points, in some cases.
In the example that you provided, you sent a DNS query to a Pacenet (India) IP and received a response from a Vodafone (India) IP address. The IP from which you received the invalid response is an open resolver (bad thing). It is completely plausible that whatever device is being queried has interfaces on both networks.
If it was only one (and for those ASNs where it *is* only one, or even a few, IPs) then I'd tend to agree with you, however...
To have "shown" that this ASN "allows IP spoofing" you must have demonstrated that this response packet, sourced from a Vodafone IP, entered the "Internet" from a Pacenet router interface. Unless I am missing something here, you haven't come close to showing that.
We're talking about 50,000 distinct IPs which are doing this in some cases. It strikes me as at least pretty unlikely that all 50,000 devices (or 25,000 or 10,000 or what-have-you, if you want to consider that some devices might have multiple IPs) out there have multiple interfaces which cross ASN boundaries. Sure sounds to me like *someone* out there has some serious issues to deal with, and the rest of us are paying the price of their inaction. Thanks, Stephen
Attachment:
signature.asc
Description: Digital signature
Current thread:
- BCP38.info Jay Ashworth (Jan 25)
- Re: BCP38.info Chris Grundemann (Jan 25)
- Re: BCP38.info Tony Tauber (Jan 25)
- Re: BCP38.info Jay Ashworth (Jan 26)
- Re: BCP38.info Jared Mauch (Jan 28)
- Re: BCP38.info TGLASSEY (Jan 28)
- Re: BCP38.info Valdis . Kletnieks (Jan 28)
- Re: BCP38.info Jared Mauch (Jan 28)
- Re: BCP38.info David Miller (Jan 28)
- Re: BCP38.info Stephen Frost (Jan 28)
- Re: BCP38.info Jared Mauch (Jan 28)
- Re: BCP38.info Jared Mauch (Jan 28)
- Re: BCP38.info Chris Grundemann (Jan 25)
- <Possible follow-ups>
- Re: BCP38.info Nick Olsen (Jan 28)
- Re: BCP38.info Jared Mauch (Jan 28)
- Re: BCP38.info Andrei Robachevsky (Jan 29)
- Re: BCP38.info Jared Mauch (Jan 28)
- Re: BCP38.info Nick Olsen (Jan 28)
- Re: BCP38.info Jared Mauch (Jan 28)
- Re: BCP38.info Mark Andrews (Jan 28)
- Re: BCP38.info Andrei Robachevsky (Jan 29)
- Re: BCP38.info TGLASSEY (Jan 28)
- Re: BCP38.info Jared Mauch (Jan 28)