Why would a Facebook device be sending Spi packets at home user ?
Mr. James W. Laferriere
babydr at baby-dragons.com
Sun Mar 17 22:34:08 UTC 2013
Hello All ,
Maybe I am missing (or have missed) something .
Here is the log entry & dig & whois info . Just kinda interested in info on this phenomenon .
I've received many SPI assoc. requests at my poor ol' router over the
few years it's been online , Most of them are from S.E. Asia & few from Africa
others from EU , But by & far most of them are USA based Webservers by their
dig & whois info . A very small few are from org's such as FB . I usually just
ignore these as some fluke or if I know a contact at the site I send them the
info .
1 ) Is there an orginazation that is mapping unsecured ipsec boxen ?
2 ) Has or is anyone else receiving attempts at establishing association ?
3 ) Is anyone recording these or interested in keeping records ?
4 ) Anything elso I would be interested in along the lines of assoc.
attempts & why they are being attempted ?
Tia , JimL
Mar 17 21:48:47.637: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=xx.yy.zz.aa, prot=50, spi=0xE3488400(3813180416), srcaddr=69.171.255.12
$ dig -x 69.171.255.12
; <<>> DiG 9.9.1-P3 <<>> -x 69.171.255.12
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 36105
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;12.255.171.69.in-addr.arpa. IN PTR
;; AUTHORITY SECTION:
255.171.69.in-addr.arpa. 3600 IN SOA a.ns.facebook.com.
dns.facebook.com. 1363497425 7200 1800 604800 3600
;; Query time: 528 msec
;; SERVER: 199.33.245.55#53(199.33.245.55)
;; WHEN: Sun Mar 17 14:14:40 2013
;; MSG SIZE rcvd: 112
$ whois 69.171.255.12
#
# Query terms are ambiguous. The query is assumed to be:
# "n 69.171.255.12"
#
# Use "?" to get help.
#
#
# The following results may also be obtained via:
#
http://whois.arin.net/rest/nets;q=69.171.255.12?showDetails=true&showARIN=false&ext=netref2
#
NetRange: 69.171.224.0 - 69.171.255.255
CIDR: 69.171.224.0/19
OriginAS: AS32934
NetName: TFBNET3
NetHandle: NET-69-171-224-0-1
Parent: NET-69-0-0-0-0
NetType: Direct Assignment
RegDate: 2010-08-05
Updated: 2012-02-24
Ref: http://whois.arin.net/rest/net/NET-69-171-224-0-1
OrgName: Facebook, Inc.
OrgId: THEFA-3
Address: 1601 Willow Rd.
City: Menlo Park
StateProv: CA
PostalCode: 94025
Country: US
RegDate: 2004-08-11
Updated: 2012-04-17
Ref: http://whois.arin.net/rest/org/THEFA-3
OrgTechHandle: OPERA82-ARIN
OrgTechName: Operations
OrgTechPhone: +1-650-543-4800
OrgTechEmail: noc at fb.com
OrgTechRef: http://whois.arin.net/rest/poc/OPERA82-ARIN
OrgAbuseHandle: OPERA82-ARIN
OrgAbuseName: Operations
OrgAbusePhone: +1-650-543-4800
OrgAbuseEmail: noc at fb.com
OrgAbuseRef: http://whois.arin.net/rest/poc/OPERA82-ARIN
#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#
--
+------------------------------------------------------------------+
| James W. Laferriere | System Techniques | Give me VMS |
| Network&System Engineer | 3237 Holden Road | Give me Linux |
| babydr at baby-dragons.com | Fairbanks, AK. 99709 | only on AXP |
+------------------------------------------------------------------+
More information about the NANOG
mailing list