subject:"someone is using my AS number"

Re: someone is using my AS number

2019-06-16 Thread Christopher Morrow

On Thu, Jun 13, 2019 at 5:18 PM Joe Provo  wrote:

> The last "major" provider who failed to provide BGP community-based
> TE was 3549, and with their absorbtion into 3356 no one should have
> any tolerance for this garbage, IMNSHO.

as near as I can tell, you can't get per-neighbor or other TE options
on he.net, for instance, so not all folk support this :(

(reference: https://onestep.net/communities/ has no he.net details.
Checking for 6939 details on their site also came up blank for me)

Re: someone is using my AS number

2019-06-15 Thread Valdis Klētnieks

On Sat, 15 Jun 2019 05:38:23 -0700, Owen DeLong said:

> What I heard you say is: âIâm not going to offer a solution to your 
> problem,
> but you shouldnât use the one you have that currently works because some 
> things
> my friends and I are doing react poorly to it and you may suffer some
> consequences as a result.â

Umm.. Owen?  If "you may suffer some consequences as a result" is true, then
your claim the solution "currently works" is just a tad suspect, isn't it?

(Personally, I read Job's note as saying "Beware that this may not actually do
what you think it should do, and in fact may do the opposite...")



pgpsGBPqcy70y.pgp
Description: PGP signature

Re: someone is using my AS number

2019-06-15 Thread Jon Lewis


On Sat, 15 Jun 2019, Job Snijders wrote:


The moment they mangle the AS_PATH on their announcement and insert 2914
in their announcement towards NSP, the following can happen:

When ISP A would want to poison the path, ISP A may expect the following
paths to be visible from the ATT and NTT routes:

   AS_PATH   | footnotes
   7018_NSP_ISPA_2914_ISPA   | 1
   2914_7018_NSP_ISPA_2914_ISPA  | 1
   7018_2914_NSP_ISPA_2914_ISPA  | 2
   2914_NSP_ISPA_2914_ISPA   | 2
   NSP_ISPA_2914_ISPA| 3
   7018_2914_ISPA| 4
   2914_ISPA | 4

footnotes:
   1) rejected on AT&T routers due to peerlock (2914 is seen in the AS_PATH)
   2) rejected by NTT routers due to as-path loop detection, thus never
  propagated to AT&T. Neither NTT or AT&T will ever use this path.
   3) potentially rejected by NSP due to presence of an upstream ASN in
  AS_PATH, thus neither NTT or AT&T will ever this path.
   4) accepted by both AT&T and NTT. note that this effectively is
  ISP A single homing


I'll conceed that all of the above could happen, and has probably gotten 
more likely over time as networks get more "careful" about what paths 
they'll accept from who (too many BGP oops's over the years?).  My last 
use of as-path poisoning for TE was a couple of jobs ago and quite 
possibly ~10 years ago.  I was trying to keep an ISP (Level3) from sending 
our "TE more specifics" to a customer (TW Telecom), and at least back at 
that time, Level3 would accept routes from one customer (us) with another 
customer's (TW Telecom / 4323) ASN in the as-path.


Also, since in my case, the as-path poisoning was limited to more 
specifics that we advertised to one upstream utilizing their supported 
propagation limiting strings, poor propagation was the goal...and any 
network that didn't get those routes (i.e. the vast majority of the 
Internet) would presumably receive the natural as-path aggregate route(s). 
So, again, if there were propagation problems with the poisoned paths 
after they were accepted by the one upstream they were advertised to, A) 
that was the goal, B) you still have an aggregate route path.  If ISP1 
stopped accepting them, the TE would just stop working entirely, and 
everyone would use the aggregates.


Presumably, anyone using as-path poisoning would have non-poisoned 
covering aggregates, that "everyone" would use in the cases of rejection 
or failures causing no non-poisoned route to be available.



--
 Jon Lewis, MCP :)   |  I route
 |  therefore you are
_ http://www.lewis.org/~jlewis/pgp for PGP public key_

Re: someone is using my AS number

2019-06-15 Thread Job Snijders

On Sat, Jun 15, 2019 at 4:45 PM Owen DeLong  wrote:
> > On Jun 15, 2019, at 5:43 AM, Job Snijders  wrote:
> >> On Sat, Jun 15, 2019 at 2:38 PM Owen DeLong  wrote:
> >
owen> >> What I heard you say is: “I’m not going to offer a solution
to your problem, but you shouldn’t use the one you have that currently
works because some things my friends and I are doing react poorly to
it and you may suffer some consequences as a result.”
> >
job> > I have no idea how you would arrive at such a contrived convoluted
job> > interpretation. I'm sorry I can't help further your understanding of
job> > how modern day Internet routing works.

owen> I was pointing out that while you told the guy not to use a tool
that’s been working for him, you didn’t actually answer his question,
nor did you offer any useful alternative.

Your summary of this thread is somewhat incomplete. I'll try myself:

OP started with - "help, my ASN was used without my permission, what
do I do?" - to which NANOG answered "let us know your ASN and we'll
use our rolodex". Awesome, the community tried to help Philip Lavine.

Then in a follow-up (general context) question from Joe Abley: "what
actually can go wrong when the AS_PATH is modified for traffic
engineering purposes?", to which three factually correct answers were
provided:

1/ it may not help you achieve your traffic engineering goal (you
can't know if as-path loop avoidance is enabled or not)
2/ it makes security incident attribution processes harder because
poisoned AS_PATH contain fabricated information
3/ it can lead to hard outages because of interaction with EBGP
routing security filters (such as peer-lock)

Again a productive mail exchange, Joe Abley asked a good question and
the resulting public discussion hopefully helped others learn
something.

Next up: Warren offered in a separate subthread "sometimes it seems
AS_PATH poisoning is the only solution for traffic-engineering, what
else can we do". To which I add: "we should keep in mind that this
'only solution' may result in hard outages", (I assume hard outages
are considered worse than the state of things without traffic
engineering). If BGP communities and telephone requests are not
available, and AS_PATH poisoning seems to be the "only solution",
well, then that is the only "solution" (but poisoning caveats still
apply). There probably is no answer to Warren's question, at least I
couldn't provide one because communities & phone were taken away.

So, you turned something I intended as a simple addition to Warren's
message (a point that hadden't yet been mentioned), into a vague
statement about "Job and his friends". EBGP AS_PATH filters
("peerlock-style") have existed in many forms, since long before I
even had a job in this sector. It is absolutely unclear to me what you
are trying to achieve.

Kind regards,

Job

Re: someone is using my AS number

2019-06-15 Thread Owen DeLong

> On Jun 15, 2019, at 6:03 AM, Job Snijders  wrote:
> 
> On Sat, Jun 15, 2019 at 05:32:21AM -0700, Owen DeLong wrote:
>>> What is the principal harm of doing this? Honest question. I'm not 
>>> advocating for anything, just curious.
>>> 
>>> Excellent question.
>>> 
>>> 1/ We can’t really expect on the loop detection to work that way at
>>> the “jacked” side. So if this is innocent traffic engineering, it is
>>> unreliable at best.
>> 
>> Why not? 
> 
> There is no signal from the remote ASN (the one that receive the route
> announcement) to the Originator ASN about the remote ASN's loop
> detection policies. Therefor, since you can't know what the remote side
> will do ahead of time. The only recourse left at that point is active
> probing (trial & error). Trial and error, where the 'error' state may be
> an hard outage, means that the method is unreliable.

That’s absurd…

There’s a pre-defined loop detection behavior that is documented in the RFCs. 
It’s reasonable to expect the remote ASN to abide by it. Yes, I should 
understand that there’s a possibility they don’t follow that and will leak the 
route in despite the poisoning. However, that’s relatively easy to test and has 
a low probability of changing over time.

Even moreso when you consider that the likely places where such poisoning would 
be useful would almost certainly be transit ASNs while it’s highly unlikely 
that deactivating loop detection would be used outside of a stub ASN.

> 
>> Since this TE method is unlikely to be used to control propagation
>> to/through a stub ASN, it ought to be pretty reliable for the intended
>> purpose.
> 
> To all other people - AS_PATH poisoning, as a method to perform traffic
> engineering, is *not* reliable and can lead to hard outages.

The only place it will lead to a hard outage is if the route gets rejected from 
somewhere other than the intended target of the poisoning due to tripping a 
peer-lock filter (unlikely if done carefully). It shouldn’t cause any issues 
with RPKI filtering or most other filtering currently in common use. In the 
future if we ever get full path validation, then there’s a real issue. However, 
I’m betting we’ve standardized the replacement for IPv6 before that actually 
happens.

Owen

Re: someone is using my AS number

2019-06-15 Thread Owen DeLong

> On Jun 15, 2019, at 5:43 AM, Job Snijders  wrote:
> 
> On Sat, Jun 15, 2019 at 2:38 PM Owen DeLong  wrote:
>> Job,
>> 
>> Permit me to apply some reflective listening to your statement:
>> 
>> What I heard you say is: “I’m not going to offer a solution to your problem, 
>> but you shouldn’t use the one you have that currently works because some 
>> things my friends and I are doing react poorly to it and you may suffer some 
>> consequences as a result.”
> 
> I have no idea how you would arrive at such a contrived convoluted
> interpretation. I'm sorry I can't help further your understanding of
> how modern day Internet routing works.
> 
> Kind regards,
> 
> Job

It’s neither contrived, nor convoluted. It’s pretty much exactly what you said.

I have a pretty good understanding of how modern internet routing works and I 
wasn’t asking you to clarify that.

I was pointing out that while you told the guy not to use a tool that’s been 
working for him, you didn’t actually answer his question, nor did you offer any 
useful alternative.

Owen

Re: someone is using my AS number

2019-06-15 Thread Job Snijders

On Sat, Jun 15, 2019 at 09:31:03AM -0400, Jon Lewis wrote:
> On Sat, 15 Jun 2019, Job Snijders wrote:
> > There is no signal from the remote ASN (the one that receive the
> > route announcement) to the Originator ASN about the remote ASN's
> > loop detection policies. Therefor, since you can't know what the
> > remote side will do ahead of time. The only recourse left at that
> > point is active probing (trial & error). Trial and error, where the
> > 'error' state may be an hard outage, means that the method is
> > unreliable.
> 
> How does as-path poisoning failing (i.e. the AS you wanted to ignore a
> route accepts it) cause a hard outage?  

Formatting warning, what follows is an ASCII art diagram:

  |   "the rest"  |
  +---+
  |   |
   +--++--+
   |  ||  |
+--+ 2914 ++ 7018 |
|  |  ||  |
|  +--+---++---+--+
| ||
| |+-+ |
| || | |
| ++ NSP +-+
|  | |
|  +---+-+
|  |
|  +---+---+
|  |   |
+--+ ISP A |
   |   |
   +---+

In the above the ISP called "ISP A" is multihomed to "NTT" and an entity
called "NSP", the NSP is multi-homed to both NTT and AT&T. I attempted
to make this a realistic scenario.

In the above situation the ISP A entity might want to force certain
traffic over the NTT link, and instead of using BGP communities they use
BGP AS_PATH poisoning.

The moment they mangle the AS_PATH on their announcement and insert 2914
in their announcement towards NSP, the following can happen:

When ISP A would want to poison the path, ISP A may expect the following
paths to be visible from the ATT and NTT routes:

AS_PATH   | footnotes
7018_NSP_ISPA_2914_ISPA   | 1
2914_7018_NSP_ISPA_2914_ISPA  | 1
7018_2914_NSP_ISPA_2914_ISPA  | 2
2914_NSP_ISPA_2914_ISPA   | 2
NSP_ISPA_2914_ISPA| 3
7018_2914_ISPA| 4
2914_ISPA | 4

footnotes:
1) rejected on AT&T routers due to peerlock (2914 is seen in the AS_PATH)
2) rejected by NTT routers due to as-path loop detection, thus never
   propagated to AT&T. Neither NTT or AT&T will ever use this path.
3) potentially rejected by NSP due to presence of an upstream ASN in
   AS_PATH, thus neither NTT or AT&T will ever this path.
4) accepted by both AT&T and NTT. note that this effectively is
   ISP A single homing

In both scenarios it was ISP A's goal to receive less traffic over the
NSP-ISP A link, and the moment they deployed this policy, they'll think
it was successful, because traffic comes in via the NTT-ISP A link.

Now imagine (weeks after doing the AS_PATH poisoning), the link between
2914-ISP A is taken down (maintenance, outage, or whatever) - at that
moment ISP A will discover that their AS_PATH mangling resulted in a
hard outage. There was not switching to the paths via NSP. In fact, the
NSP may not even have accepted the routes in the first place because
many NSPs reject their upstream's ASNs when seen in routes received from
their downstreams.

In this thread, there is some hints of anecdata about when this trick
works 'as intended', but what I'm trying to point out no shortage of
examples where it leads to a problematic situation. In this thread we
seem to have some unclarity about what 'reliable' or 'unreliable' means.
AT&T will never proactively notify ISP A about changes to their AS_PATH
filters, so what works today may be entirely broken tomorrow.

I'm not disputing that AS_PATH poisoning can't be used to accomplish
traffic engineering objectives, but it is similar to relying on linux
operating system 0-days to obtain root access on a server. Sure,
sometimes it may work, but I hope we can agree that for business
purposes it is not a reliable or recommend way to achieve your goals via
exploits.

> When used for TE, a failure just means a route/path you wanted some
> remote network to ignore is not ignored and might be used.  i.e. Your
> TE may not work as desired, but the packets will still get to you,
> just not necessarily via the path you wanted them to take.

It depends! Keep in mind that traffic engineering based on AS_PATH
mangling is exploiting a property of the default as-path loop detection
behaviour in BGP implementations. This means we're relying on a second
order effect. The loop detection exists to stop the propagation of
loops. This means that such paths won't be considered at even a lower
priority, but are just rejected. The moment paths are rejected at any
point anywhere in the BGP graph, you risk unreachablity.

I hope this helped clarify a bit.

Kind regards,

Job

Re: someone is using my AS number

2019-06-15 Thread Owen DeLong




> On Jun 14, 2019, at 4:22 AM, Jared Mauch  wrote:
> 
> 
> 
>> On Jun 14, 2019, at 4:02 AM, Filip Hruska  wrote:
>> 
>> HE doesn't provide any community based TE and I would say they're a pretty 
>> major network.
> 
> With all respect to my friends at HE, this is a major gap for a network in 
> 2019.  I know this has lost them business over time with customers leaving 
> due to the lack of TE communities.  I know it takes time/effort to design and 
> roll-out, so hopefully it’s coming for them soon.
> 
> - Jared

It’s unlikely. IMHO, it has to do with the mentality of Mike Leber and Mike 
Tindle.

Owen

Re: someone is using my AS number

2019-06-15 Thread Jon Lewis


On Sat, 15 Jun 2019, Job Snijders wrote:


There is no signal from the remote ASN (the one that receive the route
announcement) to the Originator ASN about the remote ASN's loop
detection policies. Therefor, since you can't know what the remote side
will do ahead of time. The only recourse left at that point is active
probing (trial & error). Trial and error, where the 'error' state may be
an hard outage, means that the method is unreliable.


How does as-path poisoning failing (i.e. the AS you wanted to ignore a 
route accepts it) cause a hard outage?  When used for TE, a failure just 
means a route/path you wanted some remote network to ignore is not ignored 
and might be used.  i.e. Your TE may not work as desired, but the packets 
will still get to you, just not necessarily via the path you wanted them 
to take.


--
 Jon Lewis, MCP :)   |  I route
 |  therefore you are
_ http://www.lewis.org/~jlewis/pgp for PGP public key_

Re: someone is using my AS number

2019-06-15 Thread Jon Lewis


On Sat, 15 Jun 2019, Filip Hruska wrote:


In other words, if I have an upstream that uses 6939 for transit, I'm free to 
permanently prepend 6939 to
stop propagation to that network? Isn't using a community that says "do not export 
to 6939" a better and much
cleaner solution?


Sure, unless/until that doesn't work.  In the case I recall where I used 
as-path poisoning, we were multihomed to two NSPs.  For TE purposes, we'd 
been advertising a couple of more specifics to NSP1 with community strings 
to limit propagation.  One day, NSP2 went from being a peer of NSP1 to a 
customer of NSP1.  Generally, if a network even has customer usable 
propagation limiting community support, it's only applicable to their 
peers, not customers.  So, when the peering relationship between NSP1 & 
NSP2 changed, our TE became less effective because NSP2 started receiving 
the more specifics from NSP1.  The fix was to add NSP2's AS to the more 
specifics sent to NSP1...and to eventually get another transit provider.



You will have to explain that to SpamHaus and other organizations who are in 
the business (literally) of
blacklisting all upstreams of "rogue" networks.


I think they have enough clue to notice "screwy as-paths".

--
 Jon Lewis, MCP :)   |  I route
 |  therefore you are
_ http://www.lewis.org/~jlewis/pgp for PGP public key_

Re: someone is using my AS number

2019-06-15 Thread Job Snijders

On Sat, Jun 15, 2019 at 05:32:21AM -0700, Owen DeLong wrote:
> > What is the principal harm of doing this? Honest question. I'm not 
> > advocating for anything, just curious.
> > 
> > Excellent question.
> > 
> > 1/ We can’t really expect on the loop detection to work that way at
> > the “jacked” side. So if this is innocent traffic engineering, it is
> > unreliable at best.
> 
> Why not? 

There is no signal from the remote ASN (the one that receive the route
announcement) to the Originator ASN about the remote ASN's loop
detection policies. Therefor, since you can't know what the remote side
will do ahead of time. The only recourse left at that point is active
probing (trial & error). Trial and error, where the 'error' state may be
an hard outage, means that the method is unreliable.

> Since this TE method is unlikely to be used to control propagation
> to/through a stub ASN, it ought to be pretty reliable for the intended
> purpose.

To all other people - AS_PATH poisoning, as a method to perform traffic
engineering, is *not* reliable and can lead to hard outages.

Regards,

Job

Re: someone is using my AS number

2019-06-15 Thread Filip Hruska

On 15 June 2019 2:32:21 pm GMT+02:00, Owen DeLong  wrote:
>
>
>> On Jun 13, 2019, at 7:06 AM, Job Snijders  wrote:
>> 
>> Hi Joe,
>> 
>> On Thu, Jun 13, 2019 at 9:59 Joe Abley > wrote:
>> Hey Joe,
>> 
>> On 12 Jun 2019, at 12:37, Joe Provo > wrote:
>> 
>> > On Wed, Jun 12, 2019 at 04:10:00PM +, David Guo via NANOG
>wrote:
>> >> Send abuse complaint to the upstreams
>> > 
>> > ...and then name & shame publicly. AS-path forgery "for TE" was
>> > never a good idea. Sharing the affected prefix[es]/path[s] would
>> > be good.
>> 
>> I realise lots of people dislike AS_PATH stuffing with other peoples'
>AS numbers and treat it as a form of hijacking.
>> 
>> However, there's an argument that AS_PATH is really just a
>loop-avoidance mechanism, not some kind of AS-granular traceroute for
>prefix propagation. In that sense, stuffing 9327 into a prefix as a
>mechanism to stop that prefix being accepted by AS 9327 seems almost
>reasonable. (I assume this is the kind of TE you are talking about.)
>> 
>> What is the principal harm of doing this? Honest question. I'm not
>advocating for anything, just curious.
>> 
>> 
>> Excellent question.
>> 
>> 1/ We can’t really expect on the loop detection to work that way at
>the “jacked” side. So if this is innocent traffic engineering, it is
>unreliable at best.
>
>Why not? It’s certainly supposed to work that way according to the
>RFCs. Yes, I know there are knobs for people that are too
>lazy/conservative/otherwise misguided to get multiple ASNs for their
>sites with distanct routing policies so that they’ll accept their
>announcements from their remote sites even though their own ASN is in
>the path (thus breaking BGP loop detection for their particular AS).
>
>However, it’s very likely (and certainly hopeful) that no transit ASN
>would operate this way.
>
>Since this TE method is unlikely to be used to control propagation
>to/through a stub ASN, it ought to be pretty reliable for the intended
>purpose.
>

In other words, if I have an upstream that uses 6939 for transit, I'm free to 
permanently prepend 6939 to stop propagation to that network? Isn't using a 
community that says "do not export to 6939" a better and much cleaner solution? 

>> 2/ Attribution. The moment you stuff AS 2914 anywhere in the path, we
>may get blamed for anything that happens through the IP addresses for
>that route. In a way the ASNs in the AS_PATH attribute an an
>inter-organizational escalation flowchart.
>
>I would think that expecting this to hold true is far less reliable
>than the expectation you just claimed was invalid in 1/ above.
>
>I don’t doubt that it might lead to misguided phone calls to 2914 (or
>other provider) as a result, but I’m not sure I would blame the
>misguided interpretation of the AS Path by the caller on the person who
>put the ASN in the path.
>

You will have to explain that to SpamHaus and other organizations who are in 
the business (literally) of blacklisting all upstreams of "rogue" networks. 

Kind Regards,
Filip

Re: someone is using my AS number

2019-06-15 Thread Job Snijders

On Sat, Jun 15, 2019 at 2:38 PM Owen DeLong  wrote:
> Job,
>
> Permit me to apply some reflective listening to your statement:
>
> What I heard you say is: “I’m not going to offer a solution to your problem, 
> but you shouldn’t use the one you have that currently works because some 
> things my friends and I are doing react poorly to it and you may suffer some 
> consequences as a result.”

I have no idea how you would arrive at such a contrived convoluted
interpretation. I'm sorry I can't help further your understanding of
how modern day Internet routing works.

Kind regards,

Job

Re: someone is using my AS number

2019-06-15 Thread Owen DeLong



> On Jun 13, 2019, at 8:24 AM, Job Snijders  wrote:
> 
> On Thu, Jun 13, 2019 at 11:18 Warren Kumari  > wrote:
> On Thu, Jun 13, 2019 at 9:59 AM Joe Abley  > wrote:
> >
> > Hey Joe,
> >
> > On 12 Jun 2019, at 12:37, Joe Provo  > > wrote:
> >
> > > On Wed, Jun 12, 2019 at 04:10:00PM +, David Guo via NANOG wrote:
> > >> Send abuse complaint to the upstreams
> > >
> > > ...and then name & shame publicly. AS-path forgery "for TE" was
> > > never a good idea. Sharing the affected prefix[es]/path[s] would
> > > be good.
> >
> > I realise lots of people dislike AS_PATH stuffing with other peoples' AS 
> > numbers and treat it as a form of hijacking.
> >
> 
> Actually, I've been meaning to start a thread on this for a while.
> 
> I have an anycast prefix - at one location I'm a customer of a
> customer of ISP_X &  ISP_Y & ISP_Z. Because ISP_X prefers customer
> routes, any time a packet touches ISP_X, it goes to this location,
> even though it is (severely) suboptimal -- things would be better if
> ISP_X didn't accept this route in this location.
> 
> Now, the obvious answer of "well, just ask your provider in this
> location to not announce it to ISP_X. That's what communities / the
> telephone were invented for!" doesn't work for various (entirely
> non-technical) reasons...
> 
> Other than doing path-poisoning can anyone think of a way to
> accomplish what I want? (modulo the "just become a direct customer
> instead of being a customer of a customer" or "disable that site", or
> "convince the AS upstream of you to deploy communities / filters").
> While icky, sometimes stuffing other people's AS in the path seems to
> be the only solution...
> 
> 
> Given the prevalence of peerlock-style filters at the transit-free club, 
> poisoning the path may result in a large outage for your prefix rather than a 
> clever optimization. Poisoning paths is bad for all parties involved.
> 
> Kind regards,
> 
> Job

Job,

Permit me to apply some reflective listening to your statement:

What I heard you say is: “I’m not going to offer a solution to your problem, 
but you shouldn’t use the one you have that currently works because some things 
my friends and I are doing react poorly to it and you may suffer some 
consequences as a result.”

Owen

Re: someone is using my AS number

2019-06-15 Thread Owen DeLong

> On Jun 13, 2019, at 7:06 AM, Job Snijders  wrote:
> 
> Hi Joe,
> 
> On Thu, Jun 13, 2019 at 9:59 Joe Abley  > wrote:
> Hey Joe,
> 
> On 12 Jun 2019, at 12:37, Joe Provo  > wrote:
> 
> > On Wed, Jun 12, 2019 at 04:10:00PM +, David Guo via NANOG wrote:
> >> Send abuse complaint to the upstreams
> > 
> > ...and then name & shame publicly. AS-path forgery "for TE" was
> > never a good idea. Sharing the affected prefix[es]/path[s] would
> > be good.
> 
> I realise lots of people dislike AS_PATH stuffing with other peoples' AS 
> numbers and treat it as a form of hijacking.
> 
> However, there's an argument that AS_PATH is really just a loop-avoidance 
> mechanism, not some kind of AS-granular traceroute for prefix propagation. In 
> that sense, stuffing 9327 into a prefix as a mechanism to stop that prefix 
> being accepted by AS 9327 seems almost reasonable. (I assume this is the kind 
> of TE you are talking about.)
> 
> What is the principal harm of doing this? Honest question. I'm not advocating 
> for anything, just curious.
> 
> 
> Excellent question.
> 
> 1/ We can’t really expect on the loop detection to work that way at the 
> “jacked” side. So if this is innocent traffic engineering, it is unreliable 
> at best.

Why not? It’s certainly supposed to work that way according to the RFCs. Yes, I 
know there are knobs for people that are too lazy/conservative/otherwise 
misguided to get multiple ASNs for their sites with distanct routing policies 
so that they’ll accept their announcements from their remote sites even though 
their own ASN is in the path (thus breaking BGP loop detection for their 
particular AS).

However, it’s very likely (and certainly hopeful) that no transit ASN would 
operate this way.

Since this TE method is unlikely to be used to control propagation to/through a 
stub ASN, it ought to be pretty reliable for the intended purpose.

> 2/ Attribution. The moment you stuff AS 2914 anywhere in the path, we may get 
> blamed for anything that happens through the IP addresses for that route. In 
> a way the ASNs in the AS_PATH attribute an an inter-organizational escalation 
> flowchart.

I would think that expecting this to hold true is far less reliable than the 
expectation you just claimed was invalid in 1/ above.

I don’t doubt that it might lead to misguided phone calls to 2914 (or other 
provider) as a result, but I’m not sure I would blame the misguided 
interpretation of the AS Path by the caller on the person who put the ASN in 
the path.

Owen

Re: someone is using my AS number

2019-06-14 Thread Jared Mauch

> On Jun 14, 2019, at 4:02 AM, Filip Hruska  wrote:
> 
> HE doesn't provide any community based TE and I would say they're a pretty 
> major network.

With all respect to my friends at HE, this is a major gap for a network in 
2019.  I know this has lost them business over time with customers leaving due 
to the lack of TE communities.  I know it takes time/effort to design and 
roll-out, so hopefully it’s coming for them soon.

- Jared

Re: someone is using my AS number

2019-06-14 Thread Filip Hruska

HE doesn't provide any community based TE and I would say they're a pretty 
major network.

Filip

On 14 June 2019 2:17:43 am GMT+02:00, Joe Provo  
wrote:
>On Thu, Jun 13, 2019 at 09:58:20AM -0400, Joe Abley wrote:
>> Hey Joe,
>> 
>> On 12 Jun 2019, at 12:37, Joe Provo 
>wrote:
>> 
>> > On Wed, Jun 12, 2019 at 04:10:00PM +, David Guo via NANOG
>wrote:
>> >> Send abuse complaint to the upstreams
>> > 
>> > ...and then name & shame publicly. AS-path forgery "for TE" was
>> > never a good idea. Sharing the affected prefix[es]/path[s] would
>> > be good.
>> 
>> I realise lots of people dislike AS_PATH stuffing with other peoples'
>AS numbers and treat it as a form of hijacking.
>> 
>> However, there's an argument that AS_PATH is really just a
>> loop-avoidance mechanism, not some kind of AS-granular traceroute
>> for prefix propagation. In that sense, stuffing 9327 into a prefix
>> as a mechanism to stop that prefix being accepted by AS 9327 seems
>> almost reasonable. (I assume this is the kind of TE you are talking
>> about.)
>> 
>> What is the principal harm of doing this? Honest question. I'm
>> not advocating for anything, just curious.
>
>There is no way at a distance to tell the difference between:
>- legitimate AS forwarding
>- ham-fistedly attempting "innocent" TE away from the forged AS
>- maliciously hiding traffic from the forged AS
>- an error with the forged AS
>
>IME, when you can NOT look like an error or an attack, that's a 
>Good Thing.
>
>The last "major" provider who failed to provide BGP community-based
>TE was 3549, and with their absorbtion into 3356 no one should have
>any tolerance for this garbage, IMNSHO.
>
>Cheers,
>
>joe
>
>
>-- 
>Posted from my personal account - see X-Disclaimer header.
>Joe Provo / Gweep / Earthling 

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

Re: someone is using my AS number

2019-06-13 Thread Joe Provo

On Thu, Jun 13, 2019 at 09:58:20AM -0400, Joe Abley wrote:
> Hey Joe,
> 
> On 12 Jun 2019, at 12:37, Joe Provo  wrote:
> 
> > On Wed, Jun 12, 2019 at 04:10:00PM +, David Guo via NANOG wrote:
> >> Send abuse complaint to the upstreams
> > 
> > ...and then name & shame publicly. AS-path forgery "for TE" was
> > never a good idea. Sharing the affected prefix[es]/path[s] would
> > be good.
> 
> I realise lots of people dislike AS_PATH stuffing with other peoples' AS 
> numbers and treat it as a form of hijacking.
> 
> However, there's an argument that AS_PATH is really just a
> loop-avoidance mechanism, not some kind of AS-granular traceroute
> for prefix propagation. In that sense, stuffing 9327 into a prefix
> as a mechanism to stop that prefix being accepted by AS 9327 seems
> almost reasonable. (I assume this is the kind of TE you are talking
> about.)
> 
> What is the principal harm of doing this? Honest question. I'm
> not advocating for anything, just curious.

There is no way at a distance to tell the difference between:
- legitimate AS forwarding
- ham-fistedly attempting "innocent" TE away from the forged AS
- maliciously hiding traffic from the forged AS
- an error with the forged AS

IME, when you can NOT look like an error or an attack, that's a 
Good Thing.

The last "major" provider who failed to provide BGP community-based
TE was 3549, and with their absorbtion into 3356 no one should have
any tolerance for this garbage, IMNSHO.

Cheers,

joe


-- 
Posted from my personal account - see X-Disclaimer header.
Joe Provo / Gweep / Earthling

Re: someone is using my AS number

2019-06-13 Thread Randy Bush

other than the possibility of the stuffed AS being associated with
behavior, no harm if nothing malicious is happening.  if something
malicious is happening, we probably have bigger problems.

have used path poisoning for a notable research experiment; where we
credit the first major poisoner, lorenzo's thesis.

randy

Re: someone is using my AS number

2019-06-13 Thread Warren Kumari

On Thu, Jun 13, 2019 at 11:37 AM Jared Mauch  wrote:
>
> You also may not know who allows their own ASN inbound as well. It certainly 
> is a mixed bag.
>
> I do consider poisoning at best horrible hygiene and at worst evidence of 
> malicious intent.

Yes, I fully agree it it bletcherous -- which is why I'm looking for
something less ugly...

>
> Good filtering isn’t just prefix or AS path based it’s both.
>
> Best filtering is pinning the prefix to a specific ASN.
>
> Sent from my iCar
>
> On Jun 13, 2019, at 11:24 AM, Job Snijders  wrote:
>
> On Thu, Jun 13, 2019 at 11:18 Warren Kumari  wrote:
>>
>> On Thu, Jun 13, 2019 at 9:59 AM Joe Abley  wrote:
>> >
>> > Hey Joe,
>> >
>> > On 12 Jun 2019, at 12:37, Joe Provo  wrote:
>> >
>> > > On Wed, Jun 12, 2019 at 04:10:00PM +, David Guo via NANOG wrote:
>> > >> Send abuse complaint to the upstreams
>> > >
>> > > ...and then name & shame publicly. AS-path forgery "for TE" was
>> > > never a good idea. Sharing the affected prefix[es]/path[s] would
>> > > be good.
>> >
>> > I realise lots of people dislike AS_PATH stuffing with other peoples' AS 
>> > numbers and treat it as a form of hijacking.
>> >
>>
>> Actually, I've been meaning to start a thread on this for a while.
>>
>> I have an anycast prefix - at one location I'm a customer of a
>> customer of ISP_X &  ISP_Y & ISP_Z. Because ISP_X prefers customer
>> routes, any time a packet touches ISP_X, it goes to this location,
>> even though it is (severely) suboptimal -- things would be better if
>> ISP_X didn't accept this route in this location.
>>
>> Now, the obvious answer of "well, just ask your provider in this
>> location to not announce it to ISP_X. That's what communities / the
>> telephone were invented for!" doesn't work for various (entirely
>> non-technical) reasons...
>>
>> Other than doing path-poisoning can anyone think of a way to
>> accomplish what I want? (modulo the "just become a direct customer
>> instead of being a customer of a customer" or "disable that site", or
>> "convince the AS upstream of you to deploy communities / filters").
>> While icky, sometimes stuffing other people's AS in the path seems to
>> be the only solution...
>
>
>
> Given the prevalence of peerlock-style filters at the transit-free club, 
> poisoning the path may result in a large outage for your prefix rather than a 
> clever optimization.

Er, let me think about this -- if I have 3 locations, A, B, and C, and
at location A (the problematic one) I announce prefix 192.0.2.0/24
with ISP_X in the path, and at locations B and C I just prepend my AS#
(to keep path lengths roughly the same), even if ISP_X, ISP_Y, ISP_Z
(and others) enable peerlock, AFAICT, it will only be location A which
might get filtered, yes?

> Poisoning paths is bad for all parties involved.

Not disagreeing - I'd love to tag my routes with community
1234:, or 1233:, but without
useful levers, what do I pull? Unlike normally, I'm not arguing just
for the sake of arguing, I'm a lookin' for suggestions...
W


>
> Kind regards,
>
> Job



-- 
I don't think the execution is relevant when it was obviously a bad
idea in the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair
of pants.
   ---maf

Re: someone is using my AS number

2019-06-13 Thread Filip Hruska

I don't think the number of networks with disabled loop prevention is that 
small.

For example, let's say you're a hosting provider who has 3 locations... no 
reason to do cold potato routing and you don't have dedicated links between 
sites, yet you still want ranges announced at DC A to be reachable from DC B 
and C.

Kind Regards,
Filip

On 13 June 2019 5:56:16 pm GMT+02:00, Jon Lewis  wrote:
>I've used it in the distant past for TE purposes.  Assuming you're 
>poisoning one ASN via one transit it's not exactly rocket science to 
>figure out if "it worked" or not.  As Warren mentioned, sometimes your 
>transits just don't provide all the knobs you need.
>
>I suspect the number of networks that have intentionally disabled loop 
>prevention is relatively small, and those more likely "end user'ish" 
>networks that are less likely to be the target of as-path poisoning 
>TE...says the guy who just disabled loop prevention on a bunch of
>routers. 
>:)
>
>On Thu, 13 Jun 2019, Jared Mauch wrote:
>
>> You also may not know who allows their own ASN inbound as well. It
>certainly is a mixed bag. 
>> I do consider poisoning at best horrible hygiene and at worst
>evidence of malicious intent. 
>> 
>> Good filtering isn’t just prefix or AS path based it’s both. 
>> 
>> Best filtering is pinning the prefix to a specific ASN. 
>> 
>> Sent from my iCar
>> 
>> On Jun 13, 2019, at 11:24 AM, Job Snijders  wrote:
>>
>>   On Thu, Jun 13, 2019 at 11:18 Warren Kumari 
>wrote:
>>   On Thu, Jun 13, 2019 at 9:59 AM Joe Abley 
>wrote:
>>   >
>>   > Hey Joe,
>>   >
>>   > On 12 Jun 2019, at 12:37, Joe Provo
> wrote:
>>   >
>>   > > On Wed, Jun 12, 2019 at 04:10:00PM +, David Guo via
>NANOG wrote:
>>   > >> Send abuse complaint to the upstreams
>>   > >
>>   > > ...and then name & shame publicly. AS-path forgery "for TE"
>was
>>   > > never a good idea. Sharing the affected prefix[es]/path[s]
>would
>>   > > be good.
>>   >
>>   > I realise lots of people dislike AS_PATH stuffing with other
>peoples' AS numbers and treat it as a form of hijacking.
>>   >
>>
>>   Actually, I've been meaning to start a thread on this for a
>while.
>>
>>   I have an anycast prefix - at one location I'm a customer of a
>>   customer of ISP_X &  ISP_Y & ISP_Z. Because ISP_X prefers
>customer
>>   routes, any time a packet touches ISP_X, it goes to this
>location,
>>   even though it is (severely) suboptimal -- things would be
>better if
>>   ISP_X didn't accept this route in this location.
>>
>>   Now, the obvious answer of "well, just ask your provider in
>this
>>   location to not announce it to ISP_X. That's what communities /
>the
>>   telephone were invented for!" doesn't work for various
>(entirely
>>   non-technical) reasons...
>>
>>   Other than doing path-poisoning can anyone think of a way to
>>   accomplish what I want? (modulo the "just become a direct
>customer
>>   instead of being a customer of a customer" or "disable that
>site", or
>>   "convince the AS upstream of you to deploy communities /
>filters").
>>   While icky, sometimes stuffing other people's AS in the path
>seems to
>>   be the only solution...
>> 
>> 
>> 
>> Given the prevalence of peerlock-style filters at the transit-free
>club, poisoning the path may result in a large outage for your prefix
>rather than
>> a clever optimization. Poisoning paths is bad for all parties
>involved.
>> 
>> Kind regards,
>> 
>> Job
>> 
>> 
>>
>
>--
>  Jon Lewis, MCP :)   |  I route
>  |  therefore you are
>_ http://www.lewis.org/~jlewis/pgp for PGP public key_

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

Re: someone is using my AS number

2019-06-13 Thread Jon Lewis

I've used it in the distant past for TE purposes.  Assuming you're 
poisoning one ASN via one transit it's not exactly rocket science to 
figure out if "it worked" or not.  As Warren mentioned, sometimes your 
transits just don't provide all the knobs you need.

I suspect the number of networks that have intentionally disabled loop 
prevention is relatively small, and those more likely "end user'ish" 
networks that are less likely to be the target of as-path poisoning 
TE...says the guy who just disabled loop prevention on a bunch of routers. 
:)

On Thu, 13 Jun 2019, Jared Mauch wrote:

You also may not know who allows their own ASN inbound as well. It certainly is 
a mixed bag. 
I do consider poisoning at best horrible hygiene and at worst evidence of 
malicious intent. 

Good filtering isn’t just prefix or AS path based it’s both. 

Best filtering is pinning the prefix to a specific ASN. 

Sent from my iCar

On Jun 13, 2019, at 11:24 AM, Job Snijders  wrote:

  On Thu, Jun 13, 2019 at 11:18 Warren Kumari  wrote:
  On Thu, Jun 13, 2019 at 9:59 AM Joe Abley  wrote:
  >
  > Hey Joe,
  >
  > On 12 Jun 2019, at 12:37, Joe Provo  wrote:
  >
  > > On Wed, Jun 12, 2019 at 04:10:00PM +, David Guo via NANOG wrote:
  > >> Send abuse complaint to the upstreams
  > >
  > > ...and then name & shame publicly. AS-path forgery "for TE" was
  > > never a good idea. Sharing the affected prefix[es]/path[s] would
  > > be good.
  >
  > I realise lots of people dislike AS_PATH stuffing with other peoples' 
AS numbers and treat it as a form of hijacking.
  >

  Actually, I've been meaning to start a thread on this for a while.

  I have an anycast prefix - at one location I'm a customer of a
  customer of ISP_X &  ISP_Y & ISP_Z. Because ISP_X prefers customer
  routes, any time a packet touches ISP_X, it goes to this location,
  even though it is (severely) suboptimal -- things would be better if
  ISP_X didn't accept this route in this location.

  Now, the obvious answer of "well, just ask your provider in this
  location to not announce it to ISP_X. That's what communities / the
  telephone were invented for!" doesn't work for various (entirely
  non-technical) reasons...

  Other than doing path-poisoning can anyone think of a way to
  accomplish what I want? (modulo the "just become a direct customer
  instead of being a customer of a customer" or "disable that site", or
  "convince the AS upstream of you to deploy communities / filters").
  While icky, sometimes stuffing other people's AS in the path seems to
  be the only solution...

Given the prevalence of peerlock-style filters at the transit-free club, 
poisoning the path may result in a large outage for your prefix rather than
a clever optimization. Poisoning paths is bad for all parties involved.

Kind regards,

Job

--
 Jon Lewis, MCP :)   |  I route
 |  therefore you are
_ http://www.lewis.org/~jlewis/pgp for PGP public key_

Re: someone is using my AS number

2019-06-13 Thread Jared Mauch

You also may not know who allows their own ASN inbound as well. It certainly is 
a mixed bag. 

I do consider poisoning at best horrible hygiene and at worst evidence of 
malicious intent. 

Good filtering isn’t just prefix or AS path based it’s both. 

Best filtering is pinning the prefix to a specific ASN. 

Sent from my iCar

> On Jun 13, 2019, at 11:24 AM, Job Snijders  wrote:
> 
>> On Thu, Jun 13, 2019 at 11:18 Warren Kumari  wrote:
> 
>> On Thu, Jun 13, 2019 at 9:59 AM Joe Abley  wrote:
>> >
>> > Hey Joe,
>> >
>> > On 12 Jun 2019, at 12:37, Joe Provo  wrote:
>> >
>> > > On Wed, Jun 12, 2019 at 04:10:00PM +, David Guo via NANOG wrote:
>> > >> Send abuse complaint to the upstreams
>> > >
>> > > ...and then name & shame publicly. AS-path forgery "for TE" was
>> > > never a good idea. Sharing the affected prefix[es]/path[s] would
>> > > be good.
>> >
>> > I realise lots of people dislike AS_PATH stuffing with other peoples' AS 
>> > numbers and treat it as a form of hijacking.
>> >
>> 
>> Actually, I've been meaning to start a thread on this for a while.
>> 
>> I have an anycast prefix - at one location I'm a customer of a
>> customer of ISP_X &  ISP_Y & ISP_Z. Because ISP_X prefers customer
>> routes, any time a packet touches ISP_X, it goes to this location,
>> even though it is (severely) suboptimal -- things would be better if
>> ISP_X didn't accept this route in this location.
>> 
>> Now, the obvious answer of "well, just ask your provider in this
>> location to not announce it to ISP_X. That's what communities / the
>> telephone were invented for!" doesn't work for various (entirely
>> non-technical) reasons...
>> 
>> Other than doing path-poisoning can anyone think of a way to
>> accomplish what I want? (modulo the "just become a direct customer
>> instead of being a customer of a customer" or "disable that site", or
>> "convince the AS upstream of you to deploy communities / filters").
>> While icky, sometimes stuffing other people's AS in the path seems to
>> be the only solution...
> 
> 
> Given the prevalence of peerlock-style filters at the transit-free club, 
> poisoning the path may result in a large outage for your prefix rather than a 
> clever optimization. Poisoning paths is bad for all parties involved.
> 
> Kind regards,
> 
> Job

Re: someone is using my AS number

2019-06-13 Thread Job Snijders

On Thu, Jun 13, 2019 at 11:18 Warren Kumari  wrote:

> On Thu, Jun 13, 2019 at 9:59 AM Joe Abley  wrote:
> >
> > Hey Joe,
> >
> > On 12 Jun 2019, at 12:37, Joe Provo  wrote:
> >
> > > On Wed, Jun 12, 2019 at 04:10:00PM +, David Guo via NANOG wrote:
> > >> Send abuse complaint to the upstreams
> > >
> > > ...and then name & shame publicly. AS-path forgery "for TE" was
> > > never a good idea. Sharing the affected prefix[es]/path[s] would
> > > be good.
> >
> > I realise lots of people dislike AS_PATH stuffing with other peoples' AS
> numbers and treat it as a form of hijacking.
> >
>
> Actually, I've been meaning to start a thread on this for a while.
>
> I have an anycast prefix - at one location I'm a customer of a
> customer of ISP_X &  ISP_Y & ISP_Z. Because ISP_X prefers customer
> routes, any time a packet touches ISP_X, it goes to this location,
> even though it is (severely) suboptimal -- things would be better if
> ISP_X didn't accept this route in this location.
>
> Now, the obvious answer of "well, just ask your provider in this
> location to not announce it to ISP_X. That's what communities / the
> telephone were invented for!" doesn't work for various (entirely
> non-technical) reasons...
>
> Other than doing path-poisoning can anyone think of a way to
> accomplish what I want? (modulo the "just become a direct customer
> instead of being a customer of a customer" or "disable that site", or
> "convince the AS upstream of you to deploy communities / filters").
> While icky, sometimes stuffing other people's AS in the path seems to
> be the only solution...



Given the prevalence of peerlock-style filters at the transit-free club,
poisoning the path may result in a large outage for your prefix rather than
a clever optimization. Poisoning paths is bad for all parties involved.

Kind regards,

Job

Re: someone is using my AS number

2019-06-13 Thread Warren Kumari

On Thu, Jun 13, 2019 at 9:59 AM Joe Abley  wrote:
>
> Hey Joe,
>
> On 12 Jun 2019, at 12:37, Joe Provo  wrote:
>
> > On Wed, Jun 12, 2019 at 04:10:00PM +, David Guo via NANOG wrote:
> >> Send abuse complaint to the upstreams
> >
> > ...and then name & shame publicly. AS-path forgery "for TE" was
> > never a good idea. Sharing the affected prefix[es]/path[s] would
> > be good.
>
> I realise lots of people dislike AS_PATH stuffing with other peoples' AS 
> numbers and treat it as a form of hijacking.
>

Actually, I've been meaning to start a thread on this for a while.

I have an anycast prefix - at one location I'm a customer of a
customer of ISP_X &  ISP_Y & ISP_Z. Because ISP_X prefers customer
routes, any time a packet touches ISP_X, it goes to this location,
even though it is (severely) suboptimal -- things would be better if
ISP_X didn't accept this route in this location.

Now, the obvious answer of "well, just ask your provider in this
location to not announce it to ISP_X. That's what communities / the
telephone were invented for!" doesn't work for various (entirely
non-technical) reasons...

Other than doing path-poisoning can anyone think of a way to
accomplish what I want? (modulo the "just become a direct customer
instead of being a customer of a customer" or "disable that site", or
"convince the AS upstream of you to deploy communities / filters").
While icky, sometimes stuffing other people's AS in the path seems to
be the only solution...

W

> However, there's an argument that AS_PATH is really just a loop-avoidance 
> mechanism, not some kind of AS-granular traceroute for prefix propagation. In 
> that sense, stuffing 9327 into a prefix as a mechanism to stop that prefix 
> being accepted by AS 9327 seems almost reasonable. (I assume this is the kind 
> of TE you are talking about.)
>
> What is the principal harm of doing this? Honest question. I'm not advocating 
> for anything, just curious.
>
>
> Joe
>

-- 
I don't think the execution is relevant when it was obviously a bad
idea in the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair
of pants.
   ---maf

Re: someone is using my AS number

2019-06-13 Thread Joe Abley

On 13 Jun 2019, at 10:06, Job Snijders  wrote:

> 1/ We can’t really expect on the loop detection to work that way at the 
> “jacked” side. So if this is innocent traffic engineering, it is unreliable 
> at best.
> 
> 2/ Attribution. The moment you stuff AS 2914 anywhere in the path, we may get 
> blamed for anything that happens through the IP addresses for that route. In 
> a way the ASNs in the AS_PATH attribute an an inter-organizational escalation 
> flowchart.

Good answer! Somebody should write that down. :-)


Joe


signature.asc
Description: Message signed with OpenPGP

Re: someone is using my AS number

2019-06-13 Thread Job Snijders

Hi Joe,

On Thu, Jun 13, 2019 at 9:59 Joe Abley  wrote:

> Hey Joe,
>
> On 12 Jun 2019, at 12:37, Joe Provo  wrote:
>
> > On Wed, Jun 12, 2019 at 04:10:00PM +, David Guo via NANOG wrote:
> >> Send abuse complaint to the upstreams
> >
> > ...and then name & shame publicly. AS-path forgery "for TE" was
> > never a good idea. Sharing the affected prefix[es]/path[s] would
> > be good.
>
> I realise lots of people dislike AS_PATH stuffing with other peoples' AS
> numbers and treat it as a form of hijacking.
>
> However, there's an argument that AS_PATH is really just a loop-avoidance
> mechanism, not some kind of AS-granular traceroute for prefix propagation.
> In that sense, stuffing 9327 into a prefix as a mechanism to stop that
> prefix being accepted by AS 9327 seems almost reasonable. (I assume this is
> the kind of TE you are talking about.)
>
> What is the principal harm of doing this? Honest question. I'm not
> advocating for anything, just curious.

Excellent question.

1/ We can’t really expect on the loop detection to work that way at the
“jacked” side. So if this is innocent traffic engineering, it is unreliable
at best.

2/ Attribution. The moment you stuff AS 2914 anywhere in the path, we may
get blamed for anything that happens through the IP addresses for that
route. In a way the ASNs in the AS_PATH attribute an an
inter-organizational escalation flowchart.

Kind regards,

Job

Re: someone is using my AS number

2019-06-13 Thread Joe Abley

Hey Joe,

On 12 Jun 2019, at 12:37, Joe Provo  wrote:

> On Wed, Jun 12, 2019 at 04:10:00PM +, David Guo via NANOG wrote:
>> Send abuse complaint to the upstreams
> 
> ...and then name & shame publicly. AS-path forgery "for TE" was
> never a good idea. Sharing the affected prefix[es]/path[s] would
> be good.

I realise lots of people dislike AS_PATH stuffing with other peoples' AS 
numbers and treat it as a form of hijacking.

However, there's an argument that AS_PATH is really just a loop-avoidance 
mechanism, not some kind of AS-granular traceroute for prefix propagation. In 
that sense, stuffing 9327 into a prefix as a mechanism to stop that prefix 
being accepted by AS 9327 seems almost reasonable. (I assume this is the kind 
of TE you are talking about.)

What is the principal harm of doing this? Honest question. I'm not advocating 
for anything, just curious.

Joe

signature.asc
Description: Message signed with OpenPGP

Re: someone is using my AS number

2019-06-12 Thread Carlos Friaças via NANOG





AS15001 ?
(IT Convergence Inc.)

MSP in India: did they have any slightest idea about the issue? :-)

Cheers,
Carlos


On Wed, 12 Jun 2019, Philip Lavine via NANOG wrote:


I talked to the upstream provider on AS 1500. I called the telephone number on 
the abuse record on ARIN and it went to a MSP in India.

On Wednesday, June 12, 2019, 11:06:13 AM PDT, Töma Gavrichenkov 
 wrote:


Our records show this happened yesterday and lasted before 2019-06-11
20:24:00, for 2.5 hours total. Maybe that was just by accident.

I'm sort of confused why you're speaking of some ISPs in India. The
incident was more or less local to Finland, wasn't it?

--
Töma

Re: someone is using my AS number

2019-06-12 Thread Valdis Klētnieks

On Wed, 12 Jun 2019 16:10:00 -, David Guo via NANOG said:

> Get Outlook for iOS

Does it work better on XE or XR versions?

/ducks ;)



pgpCxfGZJGXxT.pgp
Description: PGP signature

Re: someone is using my AS number

2019-06-12 Thread Arturo Servin

Proper filtering from the upstream providers.

.as

On Wed, Jun 12, 2019 at 9:25 PM Alejandro Acosta <
alejandroacostaal...@gmail.com> wrote:

> Unfortunately RPKI is not useful in this case.
>
> Question: What else could be done to prevent this?
>
>
> Alejandro,
>
>
>
> On 6/12/19 12:05 PM, Philip Lavine via NANOG wrote:
>
> What is the procedure to have another party to cease and desist in using
> my AS number?
>
> Thx
>
>

Re: someone is using my AS number

2019-06-12 Thread Scott Weeks




>On 12 June 2019 6:05:58 pm GMT+02:00, Philip Lavine via NANOG

>What is the procedure to have another party to cease and desist
>in using my AS number?



On 12 June 2019 7:57:52 pm GMT+02:00, Philip Lavine  wrote:
> Here is what I got from BGPMon- MY AS is 15053
>
>Detected new prefix: 134.37.2.0/23
>ASpath: 394256 174 702 25213 25213 25213 15001 15053 



--- f...@fhrnet.eu wrote:
From: Filip Hruska 

Seems the issue was on AS25213 side. They don't provide transit 
to AS15001 at all. 
---



Here's how I see it:

134.37.2.0/23  -   702 25213 25213

So, Verizon or Telia should be able to help stop Cargotec or DNA 
in Helsinki, Finland from announcing the prefix to the world.

https://bgp.he.net/AS25213#_graph4
https://bgp.he.net/AS16086#_graph4


scott

Re: someone is using my AS number

2019-06-12 Thread Alejandro Acosta

Unfortunately RPKI is not useful in this case.

Question: What else could be done to prevent this?

Alejandro,

On 6/12/19 12:05 PM, Philip Lavine via NANOG wrote:
> What is the procedure to have another party to cease and desist in
> using my AS number?
>
> Thx

pEpkey.asc
Description: application/pgp-keys

Re: someone is using my AS number

2019-06-12 Thread Filip Hruska

Seems the issue was on AS25213 side. They don't provide transit to AS15001 at 
all. 

Regards,
Filip

On 12 June 2019 7:57:52 pm GMT+02:00, Philip Lavine  
wrote:
> Here is what I got from BGPMon- MY AS is 15053
>
>Detected new prefix: 134.37.2.0/23
>Update time: 2019-06-11 17:58 (UTC)
>Detected by #peers: 70
>Announced by: AS15053 (ROLL-GLOBAL-LLC - Roll Global LLC, US)
>Upstream AS: AS15001 (ITCONVERGENCE-COM - IT Convergence Inc., US)
>ASpath: 394256 174 702 25213 25213 25213 15001 15053 
>
>I tried contacting the upstream provider and they were no help :Contact
>- IT Convergence
>
>| 
>| 
>| 
>|  |  |
>
> |
>
> |
>| 
>|  | 
>Contact - IT Convergence
>
>Contact us today to learn more about how your business can benefit by
>partnering with IT Convergence.
> |
>
> |
>
> |
>
>
>
>
>
>On Wednesday, June 12, 2019, 9:34:16 AM PDT, Job Snijders 
>wrote:  
> 
>Can you share more details? Perhaps we can put the human social network
>to good use.
>Other than that this is annoying - are right now operationally
>impacted?
>Kind regards,
>Job
>On Wed, Jun 12, 2019 at 12:24 Filip Hruska  wrote:
>
>I would contact upstreams of the upstream then. This is quite a serious
>offence and they should help you. 
>
>Regards,
>Filip
>
>On 12 June 2019 6:20:42 pm GMT+02:00, Philip Lavine
> wrote:
> yeah I did they are some MSP in India. No help.
>
>On Wednesday, June 12, 2019, 9:15:51 AM PDT, Filip Hruska
> wrote:  
> 
> Contact the offending upstreams.
>
>Filip
>
>On 12 June 2019 6:05:58 pm GMT+02:00, Philip Lavine via NANOG
> wrote:
>What is the procedure to have another party to cease and desist in
>using my AS number?
>Thx
>
>
>
>-- 
>Sent from my Android device with K-9 Mail. Please excuse my brevity.
>  

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

Re: someone is using my AS number

2019-06-12 Thread Philip Lavine via NANOG

 I talked to the upstream provider on AS 1500. I called the telephone number on 
the abuse record on ARIN and it went to a MSP in India. 

On Wednesday, June 12, 2019, 11:06:13 AM PDT, Töma Gavrichenkov 
 wrote:  
 
 Our records show this happened yesterday and lasted before 2019-06-11
20:24:00, for 2.5 hours total. Maybe that was just by accident.

I'm sort of confused why you're speaking of some ISPs in India. The
incident was more or less local to Finland, wasn't it?

--
Töma

Re: someone is using my AS number

2019-06-12 Thread Job Snijders

Indeed, I do not see this in the our current version of the
Default-Free Zone, so there may not be a problem for us to solve at
this moment.

I think your reaching out to NANOG or other operator forums is the
correct action. Someone is bound to know someone who knows someone who
can help.

Kind regards,

Job

On Wed, Jun 12, 2019 at 6:06 PM Töma Gavrichenkov  wrote:
>
> Our records show this happened yesterday and lasted before 2019-06-11
> 20:24:00, for 2.5 hours total. Maybe that was just by accident.
>
> I'm sort of confused why you're speaking of some ISPs in India. The
> incident was more or less local to Finland, wasn't it?
>
> --
> Töma

Re: someone is using my AS number

2019-06-12 Thread Töma Gavrichenkov

Our records show this happened yesterday and lasted before 2019-06-11
20:24:00, for 2.5 hours total. Maybe that was just by accident.

I'm sort of confused why you're speaking of some ISPs in India. The
incident was more or less local to Finland, wasn't it?

--
Töma

Re: someone is using my AS number

2019-06-12 Thread Philip Lavine via NANOG

 Here is what I got from BGPMon- MY AS is 15053

Detected new prefix: 134.37.2.0/23
Update time: 2019-06-11 17:58 (UTC)
Detected by #peers: 70
Announced by: AS15053 (ROLL-GLOBAL-LLC - Roll Global LLC, US)
Upstream AS: AS15001 (ITCONVERGENCE-COM - IT Convergence Inc., US)
ASpath: 394256 174 702 25213 25213 25213 15001 15053 

I tried contacting the upstream provider and they were no help :Contact - IT 
Convergence

| 
| 
| 
|  |  |

 |

 |
| 
|  | 
Contact - IT Convergence

Contact us today to learn more about how your business can benefit by 
partnering with IT Convergence.
 |

 |

 |





On Wednesday, June 12, 2019, 9:34:16 AM PDT, Job Snijders  
wrote:  
 
 Can you share more details? Perhaps we can put the human social network to 
good use.
Other than that this is annoying - are right now operationally impacted?
Kind regards,
Job
On Wed, Jun 12, 2019 at 12:24 Filip Hruska  wrote:

I would contact upstreams of the upstream then. This is quite a serious offence 
and they should help you. 

Regards,
Filip

On 12 June 2019 6:20:42 pm GMT+02:00, Philip Lavine  
wrote:
 yeah I did they are some MSP in India. No help.

On Wednesday, June 12, 2019, 9:15:51 AM PDT, Filip Hruska  
wrote:  
 
 Contact the offending upstreams.

Filip

On 12 June 2019 6:05:58 pm GMT+02:00, Philip Lavine via NANOG  
wrote:
What is the procedure to have another party to cease and desist in using my AS 
number?
Thx



-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

Re: someone is using my AS number

2019-06-12 Thread Mehmet Akcin

What is your ASN?

On Wed, Jun 12, 2019 at 12:08 PM Philip Lavine via NANOG 
wrote:

> What is the procedure to have another party to cease and desist in using
> my AS number?
>
> Thx
>

Re: someone is using my AS number

2019-06-12 Thread Matt Harris

On Wed, Jun 12, 2019 at 11:46 AM Carsten Bormann  wrote:

> On Jun 12, 2019, at 18:10, David Guo via NANOG  wrote:
> >
> > Send abuse complaint to the upstreams
> >
> > Get Outlook for iOS
>
> Yes, but which of these is more effective?
>

With some upstreams, I wonder if getting Outlook for iOS might not be just
as effective as contacting them...

Re: someone is using my AS number

2019-06-12 Thread Carsten Bormann

On Jun 12, 2019, at 18:10, David Guo via NANOG  wrote:
> 
> Send abuse complaint to the upstreams
> 
> Get Outlook for iOS

Yes, but which of these is more effective?

SCNR

Grüße, Carsten

Re: someone is using my AS number

2019-06-12 Thread Joe Provo

On Wed, Jun 12, 2019 at 04:10:00PM +, David Guo via NANOG wrote:
> Send abuse complaint to the upstreams

...and then name & shame publicly. AS-path forgery "for TE" was 
never a good idea. Sharing the affected prefix[es]/path[s] would 
be good.

-- 
Posted from my personal account - see X-Disclaimer header.
Joe Provo / Gweep / Earthling

Re: someone is using my AS number

2019-06-12 Thread Job Snijders

Can you share more details? Perhaps we can put the human social network to
good use.

Other than that this is annoying - are right now operationally impacted?

Kind regards,

Job

On Wed, Jun 12, 2019 at 12:24 Filip Hruska  wrote:

> I would contact upstreams of the upstream then. This is quite a serious
> offence and they should help you.
>
> Regards,
> Filip
>
>
> On 12 June 2019 6:20:42 pm GMT+02:00, Philip Lavine <
> source_ro...@yahoo.com> wrote:
>>
>> yeah I did they are some MSP in India. No help.
>>
>> On Wednesday, June 12, 2019, 9:15:51 AM PDT, Filip Hruska 
>> wrote:
>>
>>
>> Contact the offending upstreams.
>>
>> Filip
>>
>> On 12 June 2019 6:05:58 pm GMT+02:00, Philip Lavine via NANOG <
>> nanog@nanog.org> wrote:
>>
>> What is the procedure to have another party to cease and desist in using
>> my AS number?
>>
>> Thx
>>
>>
> --
> Sent from my Android device with K-9 Mail. Please excuse my brevity.
>

Re: someone is using my AS number

2019-06-12 Thread Christopher Morrow

details help here, and perhaps folk who peer with the upstreams can
just reject routes with your as in them... if, you know, we knew what
that was :)

On Wed, Jun 12, 2019 at 9:21 AM Philip Lavine via NANOG  wrote:
>
> yeah I did they are some MSP in India. No help.
>
> On Wednesday, June 12, 2019, 9:15:51 AM PDT, Filip Hruska  
> wrote:
>
>
> Contact the offending upstreams.
>
> Filip
>
> On 12 June 2019 6:05:58 pm GMT+02:00, Philip Lavine via NANOG 
>  wrote:
>
> What is the procedure to have another party to cease and desist in using my 
> AS number?
>
> Thx
>
>
> --
> Sent from my Android device with K-9 Mail. Please excuse my brevity.

Re: someone is using my AS number

2019-06-12 Thread Ross Tajvar

Maybe try contacting the RIR?

On Wed, Jun 12, 2019, 12:23 PM Philip Lavine via NANOG 
wrote:

> yeah I did they are some MSP in India. No help.
>
> On Wednesday, June 12, 2019, 9:15:51 AM PDT, Filip Hruska 
> wrote:
>
>
> Contact the offending upstreams.
>
> Filip
>
> On 12 June 2019 6:05:58 pm GMT+02:00, Philip Lavine via NANOG <
> nanog@nanog.org> wrote:
>
> What is the procedure to have another party to cease and desist in using
> my AS number?
>
> Thx
>
>
> --
> Sent from my Android device with K-9 Mail. Please excuse my brevity.
>

Re: someone is using my AS number

2019-06-12 Thread Filip Hruska

I would contact upstreams of the upstream then. This is quite a serious offence 
and they should help you. 

Regards,
Filip

On 12 June 2019 6:20:42 pm GMT+02:00, Philip Lavine  
wrote:
> yeah I did they are some MSP in India. No help.
>
>On Wednesday, June 12, 2019, 9:15:51 AM PDT, Filip Hruska
> wrote:  
> 
> Contact the offending upstreams.
>
>Filip
>
>On 12 June 2019 6:05:58 pm GMT+02:00, Philip Lavine via NANOG
> wrote:
>What is the procedure to have another party to cease and desist in
>using my AS number?
>Thx
>
>
>-- 
>Sent from my Android device with K-9 Mail. Please excuse my brevity.  

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

Re: someone is using my AS number

2019-06-12 Thread Philip Lavine via NANOG

 yeah I did they are some MSP in India. No help.

On Wednesday, June 12, 2019, 9:15:51 AM PDT, Filip Hruska  
wrote:  
 
 Contact the offending upstreams.

Filip

On 12 June 2019 6:05:58 pm GMT+02:00, Philip Lavine via NANOG  
wrote:
What is the procedure to have another party to cease and desist in using my AS 
number?
Thx


-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

Re: someone is using my AS number

2019-06-12 Thread Filip Hruska

Contact the offending upstreams.

Filip

On 12 June 2019 6:05:58 pm GMT+02:00, Philip Lavine via NANOG  
wrote:
>What is the procedure to have another party to cease and desist in
>using my AS number?
>Thx

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

Re: someone is using my AS number

2019-06-12 Thread David Guo via NANOG

Send abuse complaint to the upstreams

Get Outlook for iOS<https://aka.ms/o0ukef>

From: NANOG  on behalf of Philip Lavine via NANOG 

Sent: Thursday, June 13, 2019 12:05:58 AM
To: NANOG List
Subject: someone is using my AS number

What is the procedure to have another party to cease and desist in using my AS 
number?

Thx

someone is using my AS number

2019-06-12 Thread Philip Lavine via NANOG

What is the procedure to have another party to cease and desist in using my AS 
number?
Thx

50 matches

Mail list logo