Announcing a reserved ASN?

• Previous message (by thread): Announcing a reserved ASN?
• Next message (by thread): Announcing a reserved ASN?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

AS23456 is what you get if your system doesn't properly support 32-bit ASNs
and an AS-PATH (or peer) uses a 32-bit ASN.

There should be an extended attribute on the route that contains the full
32-bit AS-PATH called AS4_PATH associated with any such routes.

Arguably any route containing AS23456 without an AS4_PATH attribute is
invalid and could be filtered.

Unfortunately, routers that would display AS23456 instead of restoring the
full 32-bit AS_PATH may not be able to identify this.

A properly transmitted route from a 4-byte ASN will be recovered as follows:

91.217.86.0/23     *[BGP/170] 1w5d 09:11:37, MED 101, localpref 100
                      AS path: 8121 1299 3209 197269 I
                    > to 192.124.40.129 via ge-0/0/0.0

OTOH, you may occasionally see artifacts like this (I don't know why):

91.217.87.0/24     *[BGP/170] 1w5d 09:10:16, MED 101, localpref 100
                      AS path: 8121 1299 174 23456 197269 I
                    > to 192.124.40.129 via ge-0/0/0.0

But if you are seeing 23456 on an AS4 capable router without at least some
indication of a 4-byte ASN in the path, it's probably fishy.

On Feb 3, 2013, at 4:57 AM, Suresh Ramasubramanian <ops.lists at gmail.com> wrote:

> At least the 103.x which are announced by airtel. The other netblocks (one
> Indian and two brazilian) appear unrelated though also showing as23456
> 
> --srs (htc one x)
> On 03-Feb-2013 6:12 PM, "Suresh Ramasubramanian"
> <ops.lists at gmail.com<javascript:_e({}, 'cvml',
> 'ops.lists at gmail.com');>>
> wrote:
> 
>> AS23456 is currently announcing a good few netblocks (which don't have a
>> very good smtp reputation, by the way).
>> 
>> Funny thing is, that's a special use ASN as per rfc4893, something about
>> two octet ASNs that don't have a four octet representation.
>> 
>> Only one upstream (airtelbroadband-as-ap, as24560) that I can see
>> 
>>>> 103.7.204.0/22

Missing AS4_PATH -- Probably a spoofed/hijacked route

>>>> 103.14.208.0/22

Missing AS4_PATH -- Probably a spoofed/hijacked route

>>>> 103.23.124.0/22

Missing AS4_PATH -- Probably a spoofed/hijacked route

>>>> 103.30.12.0/22

Missing AS4_PATH -- Probably a spoofed/hijacked route

>>>> 103.245.112.0/22

Missing AS4_PATH -- Probably a spoofed/hijacked route

>>>> 111.235.148.0/22

Missing AS4_PATH -- Probably a spoofed/hijacked route

>>>> 177.55.249.0/24

Missing AS4_PATH -- Probably a spoofed/hijacked route

>>>> 186.251.192.0/21

Missing AS4_PATH -- Probably a spoofed/hijacked route

If you're motivated to pursue this, the best thing to do is probably to contact the last legitimate AS before 23456 in the AS-PATH and inquire.

Owen

• Previous message (by thread): Announcing a reserved ASN?
• Next message (by thread): Announcing a reserved ASN?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]