[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
AS4134/AS4847 - Appear to be hijacking some ip space.
Hey folks,
I'm on it for solving both immediate issue and long term "fix".
Louie
--
Louie Lee, æ??æ?¯é?²
Peering Coordinator (AS16591 <https://as16591.peeringdb.com/>)
Network Capacity Manager
IP Numbers Administrator
Google Fiber
louiel at google.com
(650) 253-2847
*There are 10 types of people in the world: Those who understand binary,
and those who don't.*
On Fri, Apr 5, 2019 at 11:17 AM Christopher Morrow <morrowc.lists at gmail.com>
wrote:
> On Fri, Apr 5, 2019 at 12:29 PM Jay Borkenhagen <jayb at att.com> wrote:
> >
> > Hi Chris,
>
> yes!
>
> > It would be great if the Google Fiber / AS16591 folks could publish a
> > ROA in ARIN's hosted RPKI authorizing exactly 136.32.0.0/11 to be
> > originated only in AS16591. That ROA would have addressed this matter
> > from AS7018's point of view.
> >
>
> ok, cool. This is sort of on my plate, at least from the internal
> viz/evangelizing perspective, and I'll go spend time chatting up the
> folk in fiber-land.
> having a: "See, doing this would prevent this" is helpful.
>
> > In the interim, I have added a temporary whitelist (slurm) entry into
> > our RPKI caches, causing the AS7018 network to disregard the
> > more-specific /24s under 136.32.0.0/11.
>
> thanks!
>
> > Good luck.
> > Jay B.
> >
> >
> > Christopher Morrow writes:
> > > Howdy gentle folks:
> > >
> > > It looks like AS4847 - "China Networks Inter-Exchange"
> > >
> > > Is taking some time to announce reachability for at least:
> > > 136.38.33.0/24
> > >
> > > which they ought not, given that this /24 is part of a /11 assigned to
> > > AS16591 (google fiber)... Looking at routeviews data, I see the
> > > following as-paths for this one /24:
> > > $ grep -A1 Refresh /tmp/x | grep 4847
> > > 1239 174 4134 4847
> > > 3549 3356 174 4134 4847
> > > 701 174 4134 4847
> > > 4901 6079 3257 4134 4847
> > > 20912 174 4134 4847
> > > 1221 4637 4134 4847
> > > 1351 11164 4134 4847
> > > 6079 1299 4134 4847
> > > 6079 3257 4134 4847
> > > 7018 4134 4847
> > > 6939 1299 4134 4847
> > > 3561 209 4134 4847
> > > 3303 4134 4847
> > > 3277 39710 9002 4134 4847
> > > 2497 4134 4847
> > > 4826 1299 4134 4847
> > > 54728 20130 23352 2914 4134 4847
> > > 19214 3257 4134 4847
> > > 101 101 11164 4134 4847
> > > 1403 6453 4134 4847
> > > 852 6453 4134 4847
> > > 1403 6453 4134 4847
> > > 286 4134 4847
> > > 3333 1273 4134 4847
> > > 57866 3491 4134 4847
> > > 3267 1299 4134 4847
> > > 49788 174 4134 4847
> > > 53767 3257 4134 4847
> > > 53364 3257 4134 4847
> > > 8283 57866 3491 4134 4847
> > > 7660 2516 4134 4847
> > >
> > > >From that I think the following AS should have filtered this prefix
> and are not:
> > > $ grep -A1 Refresh /tmp/x | grep 4847 | sed 's/ 4134 4847//' | awk
> > > '{print $NF}' | sort -n | uniq
> > >
> > > 174 - Cogent
> > > 209 - Qwest
> > > 286 - KPN
> > > 1273 - Vodafone
> > > 1299 - Telia
> > > 2497 - IIJ
> > > 2516 - KDDI
> > > 2914 - NTT
> > > 3257 - GTT
> > > 3303 - Swisscom
> > > 3491 - PCCW
> > > 4637 - Telstra
> > > 6453 - TATA
> > > 7018 - ATT
> > > 9002 - RETN
> > > 11164 - Internet2
> > >
> > > It'd be great if the listed folk could filter AS4134 :)
> > >
> > > -Chris
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20190405/5cbead32/attachment.html>