Hhmm... Next time I'll try to engage brain before
typing, of course IP/AS mappings are unique to the BGP peer. It IS a
dynamic protocol after all!
Sounds like what is needed is some sort of perl script
or some such thing that could run against a local router and build the
AS-list.txt file so that it would be unique for that particular
installation. Thinking Cisco, if it just pulled the most distant AS number
out of the path shown on a "show ip bgp" command that would be hugely
helpful; at least for those of us who aren't running sites with many differing
BGP connections. I wish I was a programmer, I'd offer to help with
it. Unfortunately I'm just a network guy, when I try to delve into
attempts at writing code I just manage to get myself into trouble. If
anyone has a script that does this already, or somebody with the ability can
write it, I'll be more than happy to test and provide any assistance I possibly
can.
John
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Burton Strauss
Sent: Monday, April 10, 2006 8:21 AM
To: [email protected]
Subject: RE: [Ntop] AS-list.txt help
Um... AS-list.txt.gz
You are misreading the messages - AS works fine, within the
limitations of the data it is given... which is crud.
Why?
(1) AS->IP data doesn't exist or isn't freely available
to us.
(2) Even what we can get isn't very
good.
(3) Trying to create it yourself will probably get you
banned from various servers - because it's a nasty process.
#2?
Remember, each 'provider' of AS 'data' is seeing it from
different points with different aggregation - there's no such thing as a master
list. Nor is the mapping between AS' and IP very good.
Read the line in the page @ cidr-report.org:
"This report is generated from
an analysis of theBGP routing table
within AS4637 (Reach), and was produced at Mon Apr 10 23:47:17 2006 AEST."
Unless you have
the same ISP and are part of the same block, even that data (and it's one of the
best sets) may not be very useful.
Surprised?
Think about it...
Joe-Bob's Gas, Bait and
Sandwich shop - with whom you are undertaking a major international
franchise rollout - may just have a block of 32 delegated addresses from
Billy-Bob's ISP and Fence Post company (AS9999). Even if Joe-Bob has an
assigned AS number (AS10101) it's only used for internal BGP routing within
the ISP.
Billy-Bob won't report those
32 addresses via BGP to the world, but rather will aggregate things and report
their whole 256 block.
So - to the outside world,
Joe-Bob's web server is part of Billy-Bob's AS9999 block, not Joe-Bob's
AS10101...
Different ISP, different
mapping from IP address -> AS...
For example,
here's an old report about Reach: http://www.fixedorbit.com/AS/4/AS4637.htm,
which shows 158 peers. One of those is Cisco's AS109 , which (http://www.fixedorbit.com/AS/0/AS109.htm)
says has control of "Control of approx 425,973
IP addresses (0.04%) in 11 groups".
Potential problem #1 search
the AS database for 'Cisco' and you will find a bunch of other AS's which MIGHT
be the same Cisco (or might just be a hit on the specific letters somewhere in
the descriptions). So you can't say that AS109 ==
Cisco.
Poke around the AS109 data and you'll see that Cisco has
a bunch of peering relationships with tier 1 ISPs and so probably owns it's own
address space. And so there's a decent likelyhood that your ISP has a BGP
entry for AS109 -> Cisco. So any lookups you do on AS109 to figure out
which IP addresses are in it is probably pretty good.
Try querying AS109 from different top level
registries:
$ whois -h whois.ripe.net
AS109
vs
$ whois -h whois.arin.net
AS109
The contact info is completely different!
You can use nslookup, dig, et al to get an
IP address for Cisco's web server, but you can't map that back to an AS from the
normal (authoritative registries). You can though an alternative provider,
e.g. $ whois -h whois.cymru.com
$ whois -h whois.cymru.com
198.133.219.0/24
[Querying whois.cymru.com]
[whois.cymru.com]
AS | IP | Info | AS Name
109 | 198.133.219.0 | /24 | CISCO-EU-109 Cisco Systems Glo
[Querying whois.cymru.com]
[whois.cymru.com]
AS | IP | Info | AS Name
109 | 198.133.219.0 | /24 | CISCO-EU-109 Cisco Systems Glo
So that's one's pretty good. Try
something in the Cable modem /8, and - Potential problem
#2 - it's not so clear
cut...
There's no easy, automated way to do
figure out the AS->IP mapping. Plus it's only as good as your data
source's view of the Internet... The registries publish some of this data
(e.g. ) but it's often aggregated. Some of the Tier1 ISPs used to put out
updates or elaboration files (for example Cable & Wireless) but as the
players get swapped around as pieces of bigger companies it's disappeared.
So the C&W data is no longer available through
Savvis.
The deeper you dig the worse it
gets...
I've got scripts that recursively query
the database to figure out each /24 or above's AS #, but run them and you'll get
banned by the providers because it's an 'abusive' query of the database.
(The Cable Modem blocks are especially nasty - these are /8s which are
redelegated at the /18 or below level). Plus they run for days and
frequently breakdown.
We used to have a user (Anon E. Mouse) who
provided us with updates. Since he's no longer doing this, we haven't
updated the ntop file.
Any
takers?
-----Burton
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John M. Livingston
Sent: Friday, April 07, 2006 12:57 PM
To: [email protected]
Subject: [Ntop] AS-list.txt help
Hi Everyone,
I just installed the most recent version of NTOP on a FC3 linux system, and
I'm having problems getting Autonomous Systems statistics. The AS-list.txt
file wasn't included in the rpm for install, and I can't find the file-format
anywhere. I've browsed a years worth of the archives for the mailing list
as well as spent hours doing Yahoo! and Google searches but haven't found
anything that helps. I've got the list of AS and IP blocks being
advertised from www.cidr-report.org but
I think that I need the file format to so NTOP can actually use it.
My employer runs a pretty busy website and we have occasional significant
bandwidth spikes which consume nearly all our available bandwidth. If I
can get NTOP to show me the top 10 or top 20 AS numbers, I can re-route that
traffic over another link and keep our website from crashing. If NTOP
can't get me that info, is there any other freeware or open-source application
that can? One thing I've seen doing my research are a few messages that
indicate the AS functionality in NTOP doesn't work too well.
Thanks,
John Livingston
_______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop
