Is AS information useful for security?

Paolo Lucente pl+list at pmacct.net
Thu Dec 15 11:35:44 CST 2011


On Thu, Dec 15, 2011 at 11:28:48AM -0500, Drew Weaver wrote:

> I could be wrong here but I believe origin-AS uses a lookup from the routing table to figure out what the originAS for the source IP should be (and not what it explicitly IS) which means the information is unreliable.

Using a bit of Cisco jargon, i believe we speak of source peer-AS and
asymmetric routing. True what you say but a more accurate information
can be achieved  by correlation, ie. against the input interface. This
leaves open the case of input traffic from a shared medium ie. an IXP.
If using sFlow, MAC layer information would be pretty much available
for the job; if using NetFlow instead, NetFlow v9 (and IPFIX .. brrr)
could come to the rescue .. if was not for lack of implementation of
the MAC layer primitives for routed traffic (ie. not switched) by the
vendors on the bigger pieces of iron (ie. no ASR1K, software routers,
etc.).

Cheers,
Paolo




More information about the NANOG mailing list