nanog mailing list archives

Re: BCP38.info

From: Stephen Frost <sfrost () snowman net>
Date: Tue, 28 Jan 2014 14:56:15 -0500

David,

* David Miller (dmiller () tiggee com) wrote:

On Jan 28, 2014, at 1:50 PM, Valdis.Kletnieks () vt edu wrote:

Hang on Jared, I'm trying to wrap my head around this.  You're saying that
AS7922 has over 50K IP addresses which, if you send a DNS query to that IP,
you get an answer back from *an entirely different ASN*? How the heck does
*that* happen?


Yup.


What you detected is a misconfiguration of devices on those networks,
but that misconfiguration (in and of itself) is not necessarily what is
commonly referred to as "IP spoofing" in the context of BCP38.

You have *not* "shown" that these ASNs "allow IP spoofing".  You have
collected one data point that indicates the mere possibility that these
ASNs allow IP spoofing.


Sounds like he's got about 50k such data points, in some cases.

In the example that you provided, you sent a DNS query to a Pacenet
(India) IP and received a response from a Vodafone (India) IP address.
The IP from which you received the invalid response is an open resolver
(bad thing).  It is completely plausible that whatever device is being
queried has interfaces on both networks.


If it was only one (and for those ASNs where it *is* only one, or even a
few, IPs) then I'd tend to agree with you, however...

To have "shown" that this ASN "allows IP spoofing" you must have
demonstrated that this response packet, sourced from a Vodafone IP,
entered the "Internet" from a Pacenet router interface.  Unless I am
missing something here, you haven't come close to showing that.


We're talking about 50,000 distinct IPs which are doing this in some
cases.  It strikes me as at least pretty unlikely that all 50,000
devices (or 25,000 or 10,000 or what-have-you, if you want to consider
that some devices might have multiple IPs) out there have multiple
interfaces which cross ASN boundaries.  Sure sounds to me like
*someone* out there has some serious issues to deal with, and the rest
of us are paying the price of their inaction.

        Thanks,

                Stephen

Attachment: signature.asc
Description: Digital signature

Current thread:

BCP38.info Jay Ashworth (Jan 25)
- Re: BCP38.info Chris Grundemann (Jan 25)
  - Re: BCP38.info Tony Tauber (Jan 25)
  - Re: BCP38.info Jay Ashworth (Jan 26)
    - Re: BCP38.info Jared Mauch (Jan 28)
    - Re: BCP38.info TGLASSEY (Jan 28)
    - Re: BCP38.info Valdis . Kletnieks (Jan 28)
    - Re: BCP38.info Jared Mauch (Jan 28)
    - Re: BCP38.info David Miller (Jan 28)
    - Re: BCP38.info Stephen Frost (Jan 28)
    - Re: BCP38.info Jared Mauch (Jan 28)
    - Re: BCP38.info Jared Mauch (Jan 28)
- <Possible follow-ups>
- Re: BCP38.info Nick Olsen (Jan 28)
  - Re: BCP38.info Jared Mauch (Jan 28)
    - Re: BCP38.info Andrei Robachevsky (Jan 29)
- Re: BCP38.info Nick Olsen (Jan 28)
  - Re: BCP38.info Jared Mauch (Jan 28)
    - Re: BCP38.info Mark Andrews (Jan 28)
    - Re: BCP38.info Andrei Robachevsky (Jan 29)
  - Re: BCP38.info TGLASSEY (Jan 28)

(Thread continues...)