look for BGP routes containing local AS#

Song Li refresh.lsong at gmail.com
Wed Jan 28 14:00:26 UTC 2015


Thanks!

It seems hard to see such routes on the edge router. Nonetheless, we do 
believe there must exist such routes in the wild. We still hope to find 
some real cases of them. If anybody see them in your routers, please let 
us know.

Regards!

Song
在 2015/1/28 21:27, Chuck Anderson 写道:
> It used to be the case that looped routes didn't even show up as
> hidden routes, because Junos discarded them even from Adj-RIB-In,
> although this may have changed at some Junos version.
>
> Also, Junos won't even advertise such looped routes to a neighbor with
> the same AS by default, so in many cases you won't see it at all if
> you are peering with a Juniper unless it is specifically configured to
> send these looped routes with advertise-peer-as, or change the AS
> number with as-override.
>
> On Wed, Jan 28, 2015 at 05:32:34PM +0800, Song Li wrote:
>> Hi Joel,
>>
>> It is right that the BGP route containing the local ASN will be
>> droped. However, such routes can still be displayed on router. For
>> example, you can run "show route hidden terse aspath-regex .*<local
>> ASN>.*" on Juniper to check them. We are looking for those routes.
>> If you can run the command on your Juniper and find such routes,
>> could you please provider them for us?
>>
>> Thanks!
>>
>> Regards!
>>
>> Song
>>
>> 在 2015/1/28 16:23, joel jaeggli 写道:
>>> On 1/27/15 5:45 AM, Song Li wrote:
>>>> Hi everyone,
>>>>
>>>> Recently I studied the BGP AS path looping problem, and found that in
>>>> most cases, the received BGP routes containing local AS# are suspicious.
>>>> However, we checked our BGP routing table (AS23910,CERNET2) on juniper
>>>> router(show route hidden terse aspath-regex .*23910.* ), and have not
>>>> found such routes in Adj-RIB-In.
>>>
>>> Updates with your AS in the path are discarded as part of loop
>>> detection, e.g. they do not become candidate routes.
>>>
>>> https://tools.ietf.org/html/rfc4271 page 77
>>>
>>>     If the AS_PATH attribute of a BGP route contains an AS loop, the BGP
>>>     route should be excluded from the Phase 2 decision function.  AS loop
>>>     detection is done by scanning the full AS path (as specified in the
>>>     AS_PATH attribute), and checking that the autonomous system number of
>>>     the local system does not appear in the AS path.  Operations of a BGP
>>>     speaker that is configured to accept routes with its own autonomous
>>>     system number in the AS path are outside the scope of this document.
>>>
>>> in junos
>>>
>>> neighbor { ipAddress | ipv6Address | peerGroupName } allowas-in number
>>>
>>> where number is the number of instances of your AS in the path you're
>>> willing to accept will correct that.
>>>
>>>> We believe that the received BGP routes containing local AS# are related
>>>> to BGP security problem.
>>>
>>> You'll have to elaborate, since their existence is a basic principle in
>>> the operation of bgp and they are ubiquitous.
>>>
>>> Island instances of a distributed ASN communicate with each other by
>>> allowing such routes in so that they can be evaluated one the basis of
>>> prefix, specificity, AS path length and so forth.
>>>
>>>> Hence, we want to look for some real cases in
>>>> the wild. Could anybody give us some examples of such routes?


-- 
Song Li
Room 4-204, FIT Building,
Network Security,
Department of Electronic Engineering,
Tsinghua University, Beijing 100084, China
Tel:( +86) 010-62446440
E-mail: refresh.lsong at gmail.com



More information about the NANOG mailing list