Hi Sriram, Thank you so much for the information, it was very helpful and interesting! As a fan of the BGP protocol, I particularly like seeing Internet routes carry various community attribute information as they propagate, which gives us the opportunity to see some of the details of the actual operation of the Internet rather than just a big black box. In particular, AS3356 carries various rich community attributes. (Some identify business relationships, some identify geographic information, and so on), It gives us the opportunity to learn about the mysterious Internet.. For security reasons, many ISPs delete received community attributes at their ingress border and then tag their own community attributes, which are deleted at the egress border of that ISP, and these ISPs seem to be a tight black box. By default, some BGP software does not send community attributes to its neighbors. Instead, it needs to be explicitly enabled a knob before sending community attributes. In addition, many software inherits the community attribute behavior when implementing Large Community. As a result, contrary to our expectations, large communities may not be widely spread on the Internet.
Looking forward to more interesting output from your research work! Regards, Shunwan -----Original Message----- From: Sriram, Kotikalapudi (Fed) [mailto:[email protected]] Sent: Friday, August 13, 2021 1:07 AM To: Zhuangshunwan <[email protected]> Cc: GROW WG <[email protected]>; IDR <[email protected]> Subject: Re: some questions from {RC, LC, EC} analysis presentation in GROW Hi Shunwan, >Thanks for your great job! Your work has given me a very in-depth >understanding of the propagation behavior of BGP community attributes on the >Internet. Glad to hear that. I share the compliments with my colleague Lilia Hannachi. >Regarding " Total # Unique {Prefix, RC = 3356:9999} ; 28", why is the number >only 28? It may be that the mask of black hole routes is usually greater than >24 (for IPv4 prefixes), preventing such routes from spreading widely on the >Internet? The routes with Blackhole community 3356:9999 or (more generally) ASN:666 (where ASN is not 3356, 5511, or 2603) should be short-lived. The AS providing the corresponding RTBH service should clean up those Blackhole routes from the RIBs after the DDoS mitigation is done. See additional explanations below. >If the answer to the above question is "yes", then if other communities >"ASN:666" are widespread in the wild, then such "ASN:666" may not be a black >hole community attribute too? As far as I know, the other two examples are >263:666 and 5511:666. Since you mentioned that 5511 and 2603 also do not use ASN:666 for Blackhole, we were able to confirm the same and measured the following: RIB data (RouteViews3, 2021-07-15.0000): # Unique {Prefix, RC = 65535:666} = 221 # Unique {Prefix, RC = 3356:666} = 509900 # Unique {Prefix, RC = 5511:666} = 15157 # Unique {Prefix, RC = 2603:666} = 0 (this zero is based on Routeviews3 RIB, but we do see a substantial # 2603:666 in RIPE-RIS BGP Updates since AS 2603 is located in Europe!) # Unique {Prefix, RC = ASN:666} where ASN is NOT equal to 3356, 2603, or 5511 = 4638 So, when we eliminate prefixes with 3356:666, 5511:666, or 2603:666, the remaining prefixes with ASN:666 (presumed Blackhole) are much fewer ( = 4638). This is a good thing. Not too many Blackhole ASN:666 should be seen propagating on the Internet because of three reasons: (1) They should propagate typically only one or two hops and then they should be prevented from propagating further by the corresponding AS providing RTBH service; (2) (as you said) they also do not propagate because often their route mask (prefix length) is greater than 24 (IPv4) or 48 (IPv6); and (3) the AS providing the RTBH service should clean up the Blackhole communities from its RIBs after the DDoS attack is mitigated. So, at any given time there should not be too many routes with Blackhole communities in the RIB. As the above data shows that after eliminating just the three ASNs that you pointed out the remaining presumed Blackhole ASN:666 are already much fewer. I think you'll find the following measurements about observed prefix lengths interesting as well: Frequency distribution of IPv4 prefix lengths in the set of Unique {Prefix, RC = ASN:666} where ASN is NOT equal to 3356, 2603, or 5511: 12 ; 2 14 ; 8 15 ; 5 16 ; 40 17 ; 12 18 ; 9 19 ; 34 20 ; 58 21 ; 80 22 ; 262 23 ; 275 24 ; 2185 30 ; 4 32 ; 1641 Most of the mass is at /24 and /32 (in the above), possibly indicative of genuine use as ASN:666 Blackhole communities. Frequency distribution of IPv6 prefix lengths in the set of Unique {Prefix, RC = ASN:666} where ASN is NOT equal to 3356, 2603, or 5511 : 25 ; 1 32 ; 7 36 ; 1 44 ; 1 48 ; 12 128 ; 1 In the above IPv4/IPv6 distribution data, some prefixes with large prefix lengths made it to the collector, but most such prefixes were likely not propagated (correctly so). Please let me know if you find other ASNs for which ASN:666 is not Blackhole. Thanks. Sriram _______________________________________________ GROW mailing list [email protected] https://www.ietf.org/mailman/listinfo/grow
