look for BGP routes containing local AS#

joel jaeggli joelja at bogus.com
Wed Jan 28 08:23:38 UTC 2015

On 1/27/15 5:45 AM, Song Li wrote:
> Hi everyone,
> Recently I studied the BGP AS path looping problem, and found that in
> most cases, the received BGP routes containing local AS# are suspicious.
> However, we checked our BGP routing table (AS23910,CERNET2) on juniper
> router(show route hidden terse aspath-regex .*23910.* ), and have not
> found such routes in Adj-RIB-In.

Updates with your AS in the path are discarded as part of loop
detection, e.g. they do not become candidate routes.

https://tools.ietf.org/html/rfc4271 page 77

   If the AS_PATH attribute of a BGP route contains an AS loop, the BGP
   route should be excluded from the Phase 2 decision function.  AS loop
   detection is done by scanning the full AS path (as specified in the
   AS_PATH attribute), and checking that the autonomous system number of
   the local system does not appear in the AS path.  Operations of a BGP
   speaker that is configured to accept routes with its own autonomous
   system number in the AS path are outside the scope of this document.

in junos

neighbor { ipAddress | ipv6Address | peerGroupName } allowas-in number

where number is the number of instances of your AS in the path you're
willing to accept will correct that.

> We believe that the received BGP routes containing local AS# are related
> to BGP security problem.

You'll have to elaborate, since their existence is a basic principle in
the operation of bgp and they are ubiquitous.

Island instances of a distributed ASN communicate with each other by
allowing such routes in so that they can be evaluated one the basis of
prefix, specificity, AS path length and so forth.

> Hence, we want to look for some real cases in
> the wild. Could anybody give us some examples of such routes?
> Thanks!
> Best Regards!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 243 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20150128/b5155282/attachment.sig>

More information about the NANOG mailing list