Finding asymmetric path

Joe Provo nanog-post at
Sat Nov 28 16:48:37 UTC 2009

On Sat, Nov 28, 2009 at 09:41:09AM -0600, Joe Greco wrote:
[attributions lost]
> > >>> I'm reasonable certain a customer of ours who is using one of our 
> > >>> netblocks is using a different reverse path to reach us.  How might I 
> > >>> figure out who is allowing them to source traffic from IPs that belong 
> > >>> to us?
> > >> you are implying that they are not allowed to multi-home using the ip
> > >> space you have assigned to them.  good way to lose a customer.
> > > Does it count as multihoming when we are the only ones announcing the
> > > space?
> > 
> > almost an interesting question.  but i think it is playing with words.
> > if i understand your original statement, they are clearly attached to at
> > least two providers.
> > 
> > perhaps it is fear of what they, possibly mistakenly, perceive to be
> > your policy regarding announcement of space that keeps them from
> > announcing normally to both, or more, links?

It wasn't clear that the customer was a BGP downstream though by saying 
'We are the only ones announcing the space', I think not.  Non-BGP 
multihoming is broken* and when not done out of ignorance generally is
the smoke pointing to the fire of someone trying to hide something.
Was very common for spammers to abuse no-uRPF networks in the early
days of broadband.

> It could also be something simple like pricing.  For example, in a large
> colo facility, you might easily find that a number of providers offer
> low cost transit, but not IP space.  For a customer who is heavy on the
> outbound traffic, they might find it more affordable to buy their inbound
> plus IP space from you, and then dump onto Cogent or something like that
> for outbound.  Unless your contract specifically prohibits this, you're
> probably not going to be able to prevent it.

I wonder if there is a drift of baseline assumptions between the current
wave of operators and previous ones?  To me (and BCP38) it is beyond bad 
practice to allow -and if allowed, to make use of- such sloppy edges.  
If the other network truly is practicing bad forwarding hygiene then 
they are a security problem for everyone else and IMO would be good for 
naming and shaming.



* for the majority of the cases. I know there are purposeful Non-BGP 
  MOAS/anycast purposefully run by those who understand the implications.
  It is unfortunate that their use of lack of inherent BGP path security
  contribute to fuzzing what would otherwise have been a clear indicator
  of 'bad' behavior.  But same could be said for the deaggregators 
  using longest-match to have everyone else do their TE; water under
  the bridge pushing work onto everyone else. 

             RSUC / GweepNet / Spunk / FnB / Usenix / SAGE

More information about the NANOG mailing list