Re: Unexplainable router log entries mentioning IPSEC from Yahoo IPs

[Dobbins, Roland]

On Dec 19, 2020, at 01:19, Frank Bulk  wrote:

Curious if someone can point me in the right direction. In the last three
days our core router (Cisco 7609) has logged the following events:

Dec 16 19:04:59.027 CST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC
packet has invalid spi for destaddr=, prot=50,
spi=0xEF7ED795(4018067349), srcaddr=68.180.160.18, input interface=Vlan20

It should be noted that attackers will sometimes generate non-TCP/-UDP/-ICMP 
DDoS attack traffic which is intended to bypass ACLs, firewall rules, etc. 
which only take the more common protocols into account. They'll often pick ESP 
(protocol 50, AH (protocol 51), or GRE (protocol 47) in order to try & 
masquerade the attack traffic as legitimate VPN or tunneled traffic.

And the source IPs of this attack traffic are frequently spoofed, as well.




Roland Dobbins 

Re: [EXTERNAL]Re: Don't need someone with clue @ Network Solutions.

[Matthew Crocker]

Yes I tried reaching out to Amazon and they said they can't help me.   
Crocker.com was hosted with Network Solutions earlier this year.  I'm thinking 
it might transfer it back to Network Solutions and get them to delete the stale 
records.Amazon Route53 is great,  Amazon Registrar not so much.


On 12/18/20, 4:36 PM, "NANOG on behalf of Doug Barton" 
 wrote:

CAUTION: This email originated from outside of Crocker. Do not click links 
or open attachments unless you recognize the sender and know the content is 
safe.


I'm curious, and my apologies if I missed it, but crocker.com is
registered at Amazon, and the COM whois shows that it was Amazon's
registrar that added the host records.

Were you able to work with the Amazon registrar (not AWS), as one of
their customers, to get the records removed; since crocker.com is not
delegated to those servers?

If not, that's a pretty big gap in their registrar offering.

Doug

http://registrar.amazon.com/


On 12/18/20 11:03 AM, Matthew Crocker wrote:
>
> At this point I've basically given up and I'm moving the 66.59.48.x IPs 
to a new datacenter over the weekend.  I'll move the DNS servers on the old IPs 
to the new datacenter and call it a day.   We are trying to get all of the 
customers to re-register anyway, then I'll shut all of this down.
>
> Thanks for the help
>
> On 12/17/20, 3:16 PM, "NANOG on behalf of John R. Levine" 
 
wrote:
>
>  CAUTION: This email originated from outside of Crocker. Do not click 
links or open attachments unless you recognize the sender and know the content 
is safe.
>
>
>  > a czds dl, however, shows:
>
>  You're right, I checked again.
>
>  > :; zgrep -E ^dns-auth.\.crocker\.com com.txt.gz
>  > dns-auth1.crocker.com.172800  in  a   66.59.48.87
>  > dns-auth2.crocker.com.172800  in  a   66.59.48.88
>  > dns-auth3.crocker.com.172800  in  a   66.59.48.94
>  > dns-auth4.crocker.com.172800  in  a   66.59.48.95
>  >
>  > and leaving off the ^ shows that a large number of zones use those.
>
>  Since crocker.com uses different NS, I still don't see why they're 
in the
>  .COM zone.  Making inquiries.
>
>  Regards,
>  John Levine, jo...@taugh.com, Primary Perpetrator of "The Internet 
for Dummies",
>  Please consider the environment before reading this e-mail. 
https://jl.ly
>

Re: [EXTERNAL]Re: Don't need someone with clue @ Network Solutions.

[Doug Barton]

I'm curious, and my apologies if I missed it, but crocker.com is 
registered at Amazon, and the COM whois shows that it was Amazon's 
registrar that added the host records.


Were you able to work with the Amazon registrar (not AWS), as one of 
their customers, to get the records removed; since crocker.com is not 
delegated to those servers?


If not, that's a pretty big gap in their registrar offering.

Doug

http://registrar.amazon.com/


On 12/18/20 11:03 AM, Matthew Crocker wrote:


At this point I've basically given up and I'm moving the 66.59.48.x IPs to a 
new datacenter over the weekend.  I'll move the DNS servers on the old IPs to 
the new datacenter and call it a day.   We are trying to get all of the 
customers to re-register anyway, then I'll shut all of this down.

Thanks for the help

On 12/17/20, 3:16 PM, "NANOG on behalf of John R. Levine" 
 wrote:

 CAUTION: This email originated from outside of Crocker. Do not click links 
or open attachments unless you recognize the sender and know the content is 
safe.


 > a czds dl, however, shows:

 You're right, I checked again.

 > :; zgrep -E ^dns-auth.\.crocker\.com com.txt.gz
 > dns-auth1.crocker.com.172800  in  a   66.59.48.87
 > dns-auth2.crocker.com.172800  in  a   66.59.48.88
 > dns-auth3.crocker.com.172800  in  a   66.59.48.94
 > dns-auth4.crocker.com.172800  in  a   66.59.48.95
 >
 > and leaving off the ^ shows that a large number of zones use those.

 Since crocker.com uses different NS, I still don't see why they're in the
 .COM zone.  Making inquiries.

 Regards,
 John Levine, jo...@taugh.com, Primary Perpetrator of "The Internet for 
Dummies",
 Please consider the environment before reading this e-mail. https://jl.ly

Re: Unexplainable router log entries mentioning IPSEC from Yahoo IPs

[Adrian Minta]

Yes, we saw them as well:

Dec    18    10:02:00:    %CRYPTO-4-RECVD_PKT_INV_SPI:    decaps: 
rec'd    IPSEC    packet    has    invalid    spi    for 
destaddr=    prot=50 spi=0x4CF4BE5D(1291107933)    
srcaddr=68.180.160.102
Dec    18    08:55:18:    %CRYPTO-4-RECVD_PKT_INV_SPI:    decaps: 
rec'd    IPSEC    packet    has    invalid    spi    for 
destaddr=    prot=50 spi=0x4CF4BE5D(1291107933)    
srcaddr=68.180.160.2
Dec    18    08:05:30:    %CRYPTO-4-RECVD_PKT_INV_SPI:    decaps: 
rec'd    IPSEC    packet    has    invalid    spi    for 
destaddr=    prot=50 spi=0x4CF4BE5D(1291107933)    
srcaddr=68.180.160.4
Dec    18    07:47:35:    %CRYPTO-4-RECVD_PKT_INV_SPI:    decaps: 
rec'd    IPSEC    packet    has    invalid    spi    for 
destaddr=    prot=50 spi=0x4CF4BE5D(1291107933)    
srcaddr=68.180.160.19
Dec    18    07:15:34:    %CRYPTO-4-RECVD_PKT_INV_SPI:    decaps: 
rec'd    IPSEC    packet    has    invalid    spi    for 
destaddr=    prot=50 spi=0x4CF4BE5D(1291107933)    
srcaddr=68.180.160.38
Dec    18    07:09:59:    %CRYPTO-4-RECVD_PKT_INV_SPI:    decaps: 
rec'd    IPSEC    packet    has    invalid    spi    for 
destaddr=    prot=50 spi=0x4CF4BE5D(1291107933)    
srcaddr=68.180.160.100
Dec    18    06:54:57:    %CRYPTO-4-RECVD_PKT_INV_SPI:    decaps: 
rec'd    IPSEC    packet    has    invalid    spi    for 
destaddr=    prot=50 spi=0x4CF4BE5D(1291107933)    
srcaddr=68.180.160.22
Dec    18    06:46:54:    %CRYPTO-4-RECVD_PKT_INV_SPI:    decaps: 
rec'd    IPSEC    packet    has    invalid    spi    for 
destaddr=    prot=50 spi=0x4CF4BE5D(1291107933)    
srcaddr=68.180.160.17
Dec    18    06:38:24:    %CRYPTO-4-RECVD_PKT_INV_SPI:    decaps: 
rec'd    IPSEC    packet    has    invalid    spi    for 
destaddr=    prot=50 spi=0x4CF4BE5D(1291107933)    
srcaddr=203.84.212.35
Dec    18    06:11:09:    %CRYPTO-4-RECVD_PKT_INV_SPI:    decaps: 
rec'd    IPSEC    packet    has    invalid    spi    for 
destaddr=    prot=50 spi=0x4CF4BE5D(1291107933)    
srcaddr=68.180.160.101
Dec    18    05:50:20:    %CRYPTO-4-RECVD_PKT_INV_SPI:    decaps: 
rec'd    IPSEC    packet    has    invalid    spi    for 
destaddr=    prot=50 spi=0x4CF4BE5D(1291107933)    
srcaddr=68.180.160.35
Dec    18    05:49:23:    %CRYPTO-4-RECVD_PKT_INV_SPI:    decaps: 
rec'd    IPSEC    packet    has    invalid    spi    for 
destaddr=    prot=50 spi=0x4CF4BE5D(1291107933)    
srcaddr=68.180.160.7
Dec    18    05:42:18:    %CRYPTO-4-RECVD_PKT_INV_SPI:    decaps: 
rec'd    IPSEC    packet    has    invalid    spi    for 
destaddr=    prot=50 spi=0x4CF4BE5D(1291107933)    
srcaddr=68.180.160.33
Dec    18    05:30:41:    %CRYPTO-4-RECVD_PKT_INV_SPI:    decaps: 
rec'd    IPSEC    packet    has    invalid    spi    for 
destaddr=    prot=50 spi=0x4CF4BE5D(1291107933)    
srcaddr=68.180.160.8
Dec    18    05:24:58:    %CRYPTO-4-RECVD_PKT_INV_SPI:    decaps: 
rec'd    IPSEC    packet    has    invalid    spi    for 
destaddr=    prot=50 spi=0x4CF4BE5D(1291107933)    
srcaddr=203.84.212.21
Dec    18    03:19:04:    %CRYPTO-4-RECVD_PKT_INV_SPI:    decaps: 
rec'd    IPSEC    packet    has    invalid    spi    for 
destaddr=    prot=50 spi=0x4CF4BE5D(1291107933)    
srcaddr=68.180.160.18
Dec    18    05:11:08:    %CRYPTO-4-RECVD_PKT_INV_SPI:    decaps: 
rec'd    IPSEC    packet    has    invalid    spi    for 
destaddr=    prot=50 spi=0x4CF4BE5D(1291107933)    
srcaddr=68.180.160.8
Dec    18    05:09:08:    %CRYPTO-4-RECVD_PKT_INV_SPI:    decaps: 
rec'd    IPSEC    packet    has    invalid    spi    for 
destaddr=    prot=50 spi=0x4CF4BE5D(1291107933)    
srcaddr=68.180.160.33
Dec    18    04:59:50:    %CRYPTO-4-RECVD_PKT_INV_SPI:    decaps: 
rec'd    IPSEC    packet    has    invalid    spi    for 
destaddr=    prot=50 spi=0x4CF4BE5D(1291107933)    
srcaddr=203.84.212.49
Dec    18    04:49:09:    %CRYPTO-4-RECVD_PKT_INV_SPI:    decaps: 
rec'd    IPSEC    packet    has    invalid    spi    for 
destaddr=    prot=50 spi=0x4CF4BE5D(1291107933)    
srcaddr=203.84.212.35
Dec    18    04:28:32:    %CRYPTO-4-RECVD_PKT_INV_SPI:    decaps: 
rec'd    IPSEC    packet    has    invalid    spi    for 
destaddr=    prot=50 spi=0x4CF4BE5D(1291107933)    
srcaddr=203.84.212.52
Dec    18    02:23:25:    %CRYPTO-4-RECVD_PKT_INV_SPI:    decaps: 
rec'd    IPSEC    packet    has    invalid    spi    for 
destaddr=    prot=50 spi=0x4CF4BE5D(1291107933)    
srcaddr=68.180.160.101
Dec    18    04:10:48:    %CRYPTO-4-RECVD_PKT_INV_SPI:    decaps: 
rec'd    IPSEC    packet    has    invalid    spi    for 
destaddr=    prot=50 spi=0x4CF4BE5D(1291107933)    
srcaddr=68.180.160.38
Dec    18    03:13:41:    %CRYPTO-4-RECVD_PKT_INV_SPI:    decaps: 
rec'd    IPSEC    packet    has    invalid    spi    for 
destaddr=    prot=50 spi=0x4CF4BE5D(1291107933)    
srcaddr=203.84.212.36
Dec    18    02:53:18:    %CRYPTO-4-RECVD_PKT_INV_SPI:    decaps: 
rec'd    IPSEC    packet    has    invalid    spi    for 
destaddr=    prot=50 spi=0x4CF4BE5D(1291107933)    

Re: [EXTERNAL]Re: Don't need someone with clue @ Network Solutions.

[Matthew Crocker]

At this point I've basically given up and I'm moving the 66.59.48.x IPs to a 
new datacenter over the weekend.  I'll move the DNS servers on the old IPs to 
the new datacenter and call it a day.   We are trying to get all of the 
customers to re-register anyway, then I'll shut all of this down.

Thanks for the help

On 12/17/20, 3:16 PM, "NANOG on behalf of John R. Levine" 
 
wrote:

CAUTION: This email originated from outside of Crocker. Do not click links 
or open attachments unless you recognize the sender and know the content is 
safe.


> a czds dl, however, shows:

You're right, I checked again.

> :; zgrep -E ^dns-auth.\.crocker\.com com.txt.gz
> dns-auth1.crocker.com.172800  in  a   66.59.48.87
> dns-auth2.crocker.com.172800  in  a   66.59.48.88
> dns-auth3.crocker.com.172800  in  a   66.59.48.94
> dns-auth4.crocker.com.172800  in  a   66.59.48.95
>
> and leaving off the ^ shows that a large number of zones use those.

Since crocker.com uses different NS, I still don't see why they're in the
.COM zone.  Making inquiries.

Regards,
John Levine, jo...@taugh.com, Primary Perpetrator of "The Internet for 
Dummies",
Please consider the environment before reading this e-mail. https://jl.ly

Re: Unexplainable router log entries mentioning IPSEC from Yahoo IPs

[Tom Beecher]

Frank-

I'll contact you directly about this.

On Fri, Dec 18, 2020 at 1:20 PM Frank Bulk  wrote:

> Curious if someone can point me in the right direction. In the last three
> days our core router (Cisco 7609) has logged the following events:
>
> Dec 16 19:04:59.027 CST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC
> packet has invalid spi for destaddr=, prot=50,
> spi=0xEF7ED795(4018067349), srcaddr=68.180.160.18, input interface=Vlan20
> Dec 16 20:41:47.822 CST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC
> packet has invalid spi for destaddr=, prot=50,
> spi=0xEF7ED795(4018067349), srcaddr=203.84.212.18, input interface=Vlan20
> Dec 16 21:28:12.667 CST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC
> packet has invalid spi for destaddr=, prot=50,
> spi=0xEF7ED795(4018067349), srcaddr=68.180.160.36, input interface=Vlan21
> Dec 16 22:22:40.558 CST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC
> packet has invalid spi for destaddr=, prot=50,
> spi=0xEF7ED795(4018067349), srcaddr=68.180.160.104, input interface=Vlan21
> Dec 16 22:42:17.404 CST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC
> packet has invalid spi for destaddr=, prot=50,
> spi=0xEF7ED795(4018067349), srcaddr=68.180.160.104, input interface=Vlan20
> Dec 17 00:04:34.704 CST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC
> packet has invalid spi for destaddr=, prot=50,
> spi=0xEF7ED795(4018067349), srcaddr=68.180.160.34, input interface=Vlan21
> Dec 17 00:05:41.656 CST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC
> packet has invalid spi for destaddr=, prot=50,
> spi=0xEF7ED795(4018067349), srcaddr=68.180.160.103, input interface=Vlan20
> Dec 17 08:54:29.583 CST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC
> packet has invalid spi for destaddr=, prot=50,
> spi=0x4CF4BE5D(1291107933), srcaddr=68.180.160.104, input interface=Vlan21
> Dec 17 09:20:31.881 CST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC
> packet has invalid spi for destaddr=, prot=50,
> spi=0x4CF4BE5D(1291107933), srcaddr=68.180.160.37, input interface=Vlan21
> Dec 17 19:45:29.615 CST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC
> packet has invalid spi for destaddr=, prot=50,
> spi=0x4CF4BE5D(1291107933), srcaddr=203.84.212.36, input interface=Vlan20
> Dec 17 19:59:52.663 CST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC
> packet has invalid spi for destaddr=, prot=50,
> spi=0x4CF4BE5D(1291107933), srcaddr=203.84.212.24, input interface=Vlan20
> Dec 17 23:20:02.869 CST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC
> packet has invalid spi for destaddr=, prot=50,
> spi=0x4CF4BE5D(1291107933), srcaddr=68.180.160.99, input interface=Vlan21
> Dec 18 00:15:19.536 CST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC
> packet has invalid spi for destaddr=, prot=50,
> spi=0x4CF4BE5D(1291107933), srcaddr=203.84.212.53, input interface=Vlan21
> Dec 18 00:43:00.158 CST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC
> packet has invalid spi for destaddr=, prot=50,
> spi=0x4CF4BE5D(1291107933), srcaddr=68.180.160.101, input interface=Vlan20
> Dec 18 00:44:52.018 CST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC
> packet has invalid spi for destaddr=, prot=50,
> spi=0x4CF4BE5D(1291107933), srcaddr=68.180.160.100, input interface=Vlan21
>
>
> All the destination IP addresses are in one of two categories:
> - router interface
> - inactive IP (no ARP entry)
>
> Vlans 20 and 21 are the Vlans facing our two edge/border routers.
>
> If I do a PTR lookup of each source IP, they're all some kind of
> cryptographic server in Yahoo's network:
>
> 203.84.212.18|18.212.84.203.in-addr.arpa domain name pointer
> lo301.cry1.sg3.yahoo.com.
> 203.84.212.24|24.212.84.203.in-addr.arpa domain name pointer
> lo303.cry2.sg3.yahoo.com.
> 203.84.212.36|36.212.84.203.in-addr.arpa domain name pointer
> lo303.cry1.tw1.yahoo.com.
> 203.84.212.53|53.212.84.203.in-addr.arpa domain name pointer
> lo300.cry2.tp2.yahoo.com.
> 68.180.160.100|100.160.180.68.in-addr.arpa domain name pointer
> lo303.cry1.md2.yahoo.com.
> 68.180.160.101|101.160.180.68.in-addr.arpa domain name pointer
> lo300.cry2.md2.yahoo.com.
> 68.180.160.103|103.160.180.68.in-addr.arpa domain name pointer
> lo302.cry2.md2.yahoo.com.
> 68.180.160.104|104.160.180.68.in-addr.arpa domain name pointer
> lo303.cry2.md2.yahoo.com.
> 68.180.160.18|18.160.180.68.in-addr.arpa domain name pointer
> lo301.cry1.ne1.yahoo.com.
> 68.180.160.34|34.160.180.68.in-addr.arpa domain name pointer
> lo301.cry1.bf1.yahoo.com.
> 68.180.160.36|36.160.180.68.in-addr.arpa domain name pointer
> lo303.cry1.bf1.yahoo.com.
> 68.180.160.37|37.160.180.68.in-addr.arpa domain name pointer
> lo300.cry2.bf1.yahoo.com.
> 68.180.160.99|99.160.180.68.in-addr.arpa domain name pointer
> lo302.cry1.md2.yahoo.com.
>
> Any idea what's going on here?  It's as if our 7600 is inspecting this
> traffic (presumably because it's not transit, it's being processed by the
> CPU) and seeing something special about it. Even if the router is not
> behaving 

Unexplainable router log entries mentioning IPSEC from Yahoo IPs

[Frank Bulk]

Curious if someone can point me in the right direction. In the last three
days our core router (Cisco 7609) has logged the following events:

Dec 16 19:04:59.027 CST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC
packet has invalid spi for destaddr=, prot=50,
spi=0xEF7ED795(4018067349), srcaddr=68.180.160.18, input interface=Vlan20
Dec 16 20:41:47.822 CST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC
packet has invalid spi for destaddr=, prot=50,
spi=0xEF7ED795(4018067349), srcaddr=203.84.212.18, input interface=Vlan20
Dec 16 21:28:12.667 CST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC
packet has invalid spi for destaddr=, prot=50,
spi=0xEF7ED795(4018067349), srcaddr=68.180.160.36, input interface=Vlan21
Dec 16 22:22:40.558 CST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC
packet has invalid spi for destaddr=, prot=50,
spi=0xEF7ED795(4018067349), srcaddr=68.180.160.104, input interface=Vlan21
Dec 16 22:42:17.404 CST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC
packet has invalid spi for destaddr=, prot=50,
spi=0xEF7ED795(4018067349), srcaddr=68.180.160.104, input interface=Vlan20
Dec 17 00:04:34.704 CST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC
packet has invalid spi for destaddr=, prot=50,
spi=0xEF7ED795(4018067349), srcaddr=68.180.160.34, input interface=Vlan21
Dec 17 00:05:41.656 CST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC
packet has invalid spi for destaddr=, prot=50,
spi=0xEF7ED795(4018067349), srcaddr=68.180.160.103, input interface=Vlan20
Dec 17 08:54:29.583 CST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC
packet has invalid spi for destaddr=, prot=50,
spi=0x4CF4BE5D(1291107933), srcaddr=68.180.160.104, input interface=Vlan21
Dec 17 09:20:31.881 CST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC
packet has invalid spi for destaddr=, prot=50,
spi=0x4CF4BE5D(1291107933), srcaddr=68.180.160.37, input interface=Vlan21
Dec 17 19:45:29.615 CST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC
packet has invalid spi for destaddr=, prot=50,
spi=0x4CF4BE5D(1291107933), srcaddr=203.84.212.36, input interface=Vlan20
Dec 17 19:59:52.663 CST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC
packet has invalid spi for destaddr=, prot=50,
spi=0x4CF4BE5D(1291107933), srcaddr=203.84.212.24, input interface=Vlan20
Dec 17 23:20:02.869 CST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC
packet has invalid spi for destaddr=, prot=50,
spi=0x4CF4BE5D(1291107933), srcaddr=68.180.160.99, input interface=Vlan21
Dec 18 00:15:19.536 CST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC
packet has invalid spi for destaddr=, prot=50,
spi=0x4CF4BE5D(1291107933), srcaddr=203.84.212.53, input interface=Vlan21
Dec 18 00:43:00.158 CST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC
packet has invalid spi for destaddr=, prot=50,
spi=0x4CF4BE5D(1291107933), srcaddr=68.180.160.101, input interface=Vlan20
Dec 18 00:44:52.018 CST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC
packet has invalid spi for destaddr=, prot=50,
spi=0x4CF4BE5D(1291107933), srcaddr=68.180.160.100, input interface=Vlan21


All the destination IP addresses are in one of two categories:
- router interface
- inactive IP (no ARP entry)

Vlans 20 and 21 are the Vlans facing our two edge/border routers.

If I do a PTR lookup of each source IP, they're all some kind of
cryptographic server in Yahoo's network:

203.84.212.18|18.212.84.203.in-addr.arpa domain name pointer
lo301.cry1.sg3.yahoo.com.
203.84.212.24|24.212.84.203.in-addr.arpa domain name pointer
lo303.cry2.sg3.yahoo.com.
203.84.212.36|36.212.84.203.in-addr.arpa domain name pointer
lo303.cry1.tw1.yahoo.com.
203.84.212.53|53.212.84.203.in-addr.arpa domain name pointer
lo300.cry2.tp2.yahoo.com.
68.180.160.100|100.160.180.68.in-addr.arpa domain name pointer
lo303.cry1.md2.yahoo.com.
68.180.160.101|101.160.180.68.in-addr.arpa domain name pointer
lo300.cry2.md2.yahoo.com.
68.180.160.103|103.160.180.68.in-addr.arpa domain name pointer
lo302.cry2.md2.yahoo.com.
68.180.160.104|104.160.180.68.in-addr.arpa domain name pointer
lo303.cry2.md2.yahoo.com.
68.180.160.18|18.160.180.68.in-addr.arpa domain name pointer
lo301.cry1.ne1.yahoo.com.
68.180.160.34|34.160.180.68.in-addr.arpa domain name pointer
lo301.cry1.bf1.yahoo.com.
68.180.160.36|36.160.180.68.in-addr.arpa domain name pointer
lo303.cry1.bf1.yahoo.com.
68.180.160.37|37.160.180.68.in-addr.arpa domain name pointer
lo300.cry2.bf1.yahoo.com.
68.180.160.99|99.160.180.68.in-addr.arpa domain name pointer
lo302.cry1.md2.yahoo.com.

Any idea what's going on here?  It's as if our 7600 is inspecting this
traffic (presumably because it's not transit, it's being processed by the
CPU) and seeing something special about it. Even if the router is not
behaving correctly, why is Yahoo sending that kind of traffic to those IPs?

Frank
AS53347

Weekly Routing Table Report

[Routing Analysis Role Account]

This is an automated weekly mailing describing the state of the Internet
Routing Table as seen from APNIC's router in Japan.

The posting is sent to APOPS, NANOG, AfNOG, SANOG, PacNOG, SAFNOG
TZNOG, MENOG, BJNOG, SDNOG, CMNOG, LACNOG and the RIPE Routing WG.

Daily listings are sent to bgp-st...@lists.apnic.net

For historical data, please see http://thyme.rand.apnic.net.

If you have any comments please contact Philip Smith .

Routing Table Report   04:00 +10GMT Sat 19 Dec, 2020

Report Website: http://thyme.rand.apnic.net
Detailed Analysis:  http://thyme.rand.apnic.net/current/

Analysis Summary


BGP routing table entries examined:  834384
Prefixes after maximum aggregation (per Origin AS):  319639
Deaggregation factor:  2.61
Unique aggregates announced (without unneeded subnets):  399442
Total ASes present in the Internet Routing Table: 70165
Prefixes per ASN: 11.89
Origin-only ASes present in the Internet Routing Table:   60316
Origin ASes announcing only one prefix:   24963
Transit ASes present in the Internet Routing Table:9849
Transit-only ASes present in the Internet Routing Table:296
Average AS path length visible in the Internet Routing Table:   4.4
Max AS path length visible: 203
Max AS path prepend of ASN (396896) 200
Prefixes from unregistered ASNs in the Routing Table:  1041
Number of instances of unregistered ASNs:  1042
Number of 32-bit ASNs allocated by the RIRs:  34457
Number of 32-bit ASNs visible in the Routing Table:   28615
Prefixes from 32-bit ASNs in the Routing Table:  131766
Number of bogon 32-bit ASNs visible in the Routing Table:19
Special use prefixes present in the Routing Table:1
Prefixes being announced from unallocated address space:487
Number of addresses announced to Internet:   2864080896
Equivalent to 170 /8s, 182 /16s and 104 /24s
Percentage of available address space announced:   77.4
Percentage of allocated address space announced:   77.4
Percentage of available address space allocated:  100.0
Percentage of address space in use by end-sites:   99.5
Total number of prefixes smaller than registry allocations:  283940

APNIC Region Analysis Summary
-

Prefixes being announced by APNIC Region ASes:   218271
Total APNIC prefixes after maximum aggregation:   64342
APNIC Deaggregation factor:3.39
Prefixes being announced from the APNIC address blocks:  214363
Unique aggregates announced from the APNIC address blocks:87510
APNIC Region origin ASes present in the Internet Routing Table:   11125
APNIC Prefixes per ASN:   19.27
APNIC Region origin ASes announcing only one prefix:   3163
APNIC Region transit ASes present in the Internet Routing Table:   1606
Average APNIC Region AS path length visible:4.5
Max APNIC Region AS path length visible: 31
Number of APNIC region 32-bit ASNs visible in the Routing Table:   6259
Number of APNIC addresses announced to Internet:  778351744
Equivalent to 46 /8s, 100 /16s and 180 /24s
APNIC AS Blocks4608-4864, 7467-7722, 9216-10239, 17408-18431
(pre-ERX allocations)  23552-24575, 37888-38911, 45056-46079, 55296-56319,
   58368-59391, 63488-64098, 64297-64395, 131072-143673
APNIC Address Blocks 1/8,  14/8,  27/8,  36/8,  39/8,  42/8,  43/8,
49/8,  58/8,  59/8,  60/8,  61/8, 101/8, 103/8,
   106/8, 110/8, 111/8, 112/8, 113/8, 114/8, 115/8,
   116/8, 117/8, 118/8, 119/8, 120/8, 121/8, 122/8,
   123/8, 124/8, 125/8, 126/8, 133/8, 150/8, 153/8,
   163/8, 171/8, 175/8, 180/8, 182/8, 183/8, 202/8,
   203/8, 210/8, 211/8, 218/8, 219/8, 220/8, 221/8,
   222/8, 223/8,

ARIN Region Analysis Summary


Prefixes being announced by ARIN Region ASes:240878
Total ARIN prefixes after maximum aggregation:   111543
ARIN Deaggregation factor: 2.16
Prefixes being announced from the ARIN address blocks:   241238
Unique aggregates announced from the ARIN address blocks:115495
ARIN Region origin ASes present in the Internet Routing Table:18688
ARIN Prefixes per ASN:12.91
ARIN 

[NANOG-announce] All the latest NANOG News  N80 Hackathon registration, new stories, and more!

[NANOG News]

*Join us at the NANOG 81 Virtual Hackathon*
*Saturday + Sunday, February 6-7, 2021*

Hackathon Registration is now open  An essential part of our conferences,
NANOG Hackathons are designed to be both fun and engaging, as well as a
platform to build community and foster greater networking knowledge.

The theme of the NANOG 81 Virtual Hackathon
 is Configuration
Modeling. Utilizing collaboration services from Zoom and Slack,
participants can work individually, or self-organize into teams to work on
software passion projects. All levels are welcome. And as always,
registration is FREE. We hope to see you there!

Learn More 
Register Now


*Mark your calendars*
*Registration for the NANOG 81 Virtual conference opens Jan 4! *

Join us online February 8-10, 2021 for a three-day virtual program of
talks, tutorials, keynotes, and panels, presented by some of the industry’s
top minds. The fee to attend NANOG 81 Virtual
 will be $100, which helps offset our
costs to build a virtual platform, and plan + execute the conference.

We’re committed to ensuring NANOG Virtual events are accessible and
welcoming to all. Complimentary Conference Registration will also be
available to anyone who’d like to attend NANOG 81 Virtual for free. Stay
tuned for more information!

*Submit a talk proposal for NANOG 81 Virtual*
Interested in sharing your research + ideas with the greater NANOG
community, but missed the NANOG 81 submission deadline? The Program
Committee (PC) is always looking for new + interesting talks, and there may
still be time for your presentation to be scheduled for NANOG 81! The PC
accepts proposals for all other future conferences on a rolling basis.

*Topics of interest:*

   - Automation
   - SDN
   - Traffic analysis
   - ISP Issues: sharing lessons learned / what to watch out for
   - Cloud-related topics: scale concerns, etc.
   - Routing
   - Best current practices
   - Career development skills
   - Tutorials: 101, deep dives, etc.

Learn More

Submit Now 

*Connect with us on LinkedIn *
As of December 11, the NANOG Communications LinkedIn account is no longer
active. But we'd love to stay connected! Be sure to follow us on our LinkedIn
Business page  to keep up with all
the latest NANOG news, events, and stories (and don't forget to tag us in
your LinkedIn posts, so we can re-post and share the love!).

Looking to join a community forum? Check out the NANOG Community-Moderated
Group , a LinkedIn group managed
and moderated by members of our community.

Follow Us 

*“I love to be part of a community that continuously works to grow and
improve the Internet.” *
NANOG is, and always has been, dedicated to the people who make up our
community. That's why we love to highlight the stories and experiences of
the most exceptional people we know. The innovators, change makers, and
mentors who embody our mission to advance an open, secure, and robust
Internet, through inspiration, education, and empowerment.

Keep up with our amazing community on NANOG Stories, where we regularly
feature new interviews!

Read More 
___
NANOG-announce mailing list
NANOG-announce@nanog.org
https://mailman.nanog.org/mailman/listinfo/nanog-announce

All the latest NANOG News  N80 Hackathon registration, new stories, and more!

[NANOG News]

*Join us at the NANOG 81 Virtual Hackathon*
*Saturday + Sunday, February 6-7, 2021*

Hackathon Registration is now open  An essential part of our conferences,
NANOG Hackathons are designed to be both fun and engaging, as well as a
platform to build community and foster greater networking knowledge.

The theme of the NANOG 81 Virtual Hackathon
 is Configuration
Modeling. Utilizing collaboration services from Zoom and Slack,
participants can work individually, or self-organize into teams to work on
software passion projects. All levels are welcome. And as always,
registration is FREE. We hope to see you there!

Learn More 
Register Now


*Mark your calendars*
*Registration for the NANOG 81 Virtual conference opens Jan 4! *

Join us online February 8-10, 2021 for a three-day virtual program of
talks, tutorials, keynotes, and panels, presented by some of the industry’s
top minds. The fee to attend NANOG 81 Virtual
 will be $100, which helps offset our
costs to build a virtual platform, and plan + execute the conference.

We’re committed to ensuring NANOG Virtual events are accessible and
welcoming to all. Complimentary Conference Registration will also be
available to anyone who’d like to attend NANOG 81 Virtual for free. Stay
tuned for more information!

*Submit a talk proposal for NANOG 81 Virtual*
Interested in sharing your research + ideas with the greater NANOG
community, but missed the NANOG 81 submission deadline? The Program
Committee (PC) is always looking for new + interesting talks, and there may
still be time for your presentation to be scheduled for NANOG 81! The PC
accepts proposals for all other future conferences on a rolling basis.

*Topics of interest:*

   - Automation
   - SDN
   - Traffic analysis
   - ISP Issues: sharing lessons learned / what to watch out for
   - Cloud-related topics: scale concerns, etc.
   - Routing
   - Best current practices
   - Career development skills
   - Tutorials: 101, deep dives, etc.

Learn More

Submit Now 

*Connect with us on LinkedIn *
As of December 11, the NANOG Communications LinkedIn account is no longer
active. But we'd love to stay connected! Be sure to follow us on our LinkedIn
Business page  to keep up with all
the latest NANOG news, events, and stories (and don't forget to tag us in
your LinkedIn posts, so we can re-post and share the love!).

Looking to join a community forum? Check out the NANOG Community-Moderated
Group , a LinkedIn group managed
and moderated by members of our community.

Follow Us 

*“I love to be part of a community that continuously works to grow and
improve the Internet.” *
NANOG is, and always has been, dedicated to the people who make up our
community. That's why we love to highlight the stories and experiences of
the most exceptional people we know. The innovators, change makers, and
mentors who embody our mission to advance an open, secure, and robust
Internet, through inspiration, education, and empowerment.

Keep up with our amazing community on NANOG Stories, where we regularly
feature new interviews!

Read More