Re: look for BGP routes containing local AS#

[Patrick Tracanelli <eksffa () freebsdbrasil com br>]

> On 28/01/2015, at 07:32, Song Li <refresh.lsong () gmail com> wrote:
>
> Hi Joel,
>
> It is right that the BGP route containing the local ASN will be droped. However, such routes can still be displayed 
> on router. For example, you can run "show route hidden terse aspath-regex .*<local ASN>.*" on Juniper to check them. 
> We are looking for those routes. If you can run the command on your Juniper and find such routes, could you please 
> provider them for us?

Sorry, what do you need exactly? A sample? For education purposes are you looking for something specific?
You need it to be on Juniper router or other BGP software will do?

I have this scenario from Brazil-US, with specifics getting received both ways but it’s not Juniper.



> Thanks!
>
> Regards!
>
> Song
>
> 在 2015/1/28 16:23, joel jaeggli 写道:
> > On 1/27/15 5:45 AM, Song Li wrote:
> > > Hi everyone,
> > >
> > > Recently I studied the BGP AS path looping problem, and found that in
> > > most cases, the received BGP routes containing local AS# are suspicious.
> > > However, we checked our BGP routing table (AS23910,CERNET2) on juniper
> > > router(show route hidden terse aspath-regex .*23910.* ), and have not
> > > found such routes in Adj-RIB-In.
> >
> > Updates with your AS in the path are discarded as part of loop
> > detection, e.g. they do not become candidate routes.
> >
> > https://tools.ietf.org/html/rfc4271 page 77
> >
> >  If the AS_PATH attribute of a BGP route contains an AS loop, the BGP
> >  route should be excluded from the Phase 2 decision function.  AS loop
> >  detection is done by scanning the full AS path (as specified in the
> >  AS_PATH attribute), and checking that the autonomous system number of
> >  the local system does not appear in the AS path.  Operations of a BGP
> >  speaker that is configured to accept routes with its own autonomous
> >  system number in the AS path are outside the scope of this document.
> >
> > in junos
> >
> > neighbor { ipAddress | ipv6Address | peerGroupName } allowas-in number
> >
> > where number is the number of instances of your AS in the path you're
> > willing to accept will correct that.
> >
> > > We believe that the received BGP routes containing local AS# are related
> > > to BGP security problem.
> >
> > You'll have to elaborate, since their existence is a basic principle in
> > the operation of bgp and they are ubiquitous.
> >
> > Island instances of a distributed ASN communicate with each other by
> > allowing such routes in so that they can be evaluated one the basis of
> > prefix, specificity, AS path length and so forth.
> >
> > > Hence, we want to look for some real cases in
> > > the wild. Could anybody give us some examples of such routes?
> > >
> > > Thanks!
> > >
> > > Best Regards!
>
>
> -- 
> Song Li
> Room 4-204, FIT Building,
> Network Security,
> Department of Electronic Engineering,
> Tsinghua University, Beijing 100084, China
> Tel:( +86) 010-62446440
> E-mail: refresh.lsong () gmail com

--
Patrick Tracanelli

FreeBSD Brasil LTDA.
Tel.: (31) 3516-0800
316601 () sip freebsdbrasil com br
http://www.freebsdbrasil.com.br
"Long live Hanin Elias, Kim Deal!"