look for BGP routes containing local AS#
Chuck Anderson
cra at WPI.EDU
Wed Jan 28 13:27:40 UTC 2015
It used to be the case that looped routes didn't even show up as
hidden routes, because Junos discarded them even from Adj-RIB-In,
although this may have changed at some Junos version.
Also, Junos won't even advertise such looped routes to a neighbor with
the same AS by default, so in many cases you won't see it at all if
you are peering with a Juniper unless it is specifically configured to
send these looped routes with advertise-peer-as, or change the AS
number with as-override.
On Wed, Jan 28, 2015 at 05:32:34PM +0800, Song Li wrote:
> Hi Joel,
>
> It is right that the BGP route containing the local ASN will be
> droped. However, such routes can still be displayed on router. For
> example, you can run "show route hidden terse aspath-regex .*<local
> ASN>.*" on Juniper to check them. We are looking for those routes.
> If you can run the command on your Juniper and find such routes,
> could you please provider them for us?
>
> Thanks!
>
> Regards!
>
> Song
>
> 在 2015/1/28 16:23, joel jaeggli 写道:
> >On 1/27/15 5:45 AM, Song Li wrote:
> >>Hi everyone,
> >>
> >>Recently I studied the BGP AS path looping problem, and found that in
> >>most cases, the received BGP routes containing local AS# are suspicious.
> >>However, we checked our BGP routing table (AS23910,CERNET2) on juniper
> >>router(show route hidden terse aspath-regex .*23910.* ), and have not
> >>found such routes in Adj-RIB-In.
> >
> >Updates with your AS in the path are discarded as part of loop
> >detection, e.g. they do not become candidate routes.
> >
> >https://tools.ietf.org/html/rfc4271 page 77
> >
> > If the AS_PATH attribute of a BGP route contains an AS loop, the BGP
> > route should be excluded from the Phase 2 decision function. AS loop
> > detection is done by scanning the full AS path (as specified in the
> > AS_PATH attribute), and checking that the autonomous system number of
> > the local system does not appear in the AS path. Operations of a BGP
> > speaker that is configured to accept routes with its own autonomous
> > system number in the AS path are outside the scope of this document.
> >
> >in junos
> >
> >neighbor { ipAddress | ipv6Address | peerGroupName } allowas-in number
> >
> >where number is the number of instances of your AS in the path you're
> >willing to accept will correct that.
> >
> >>We believe that the received BGP routes containing local AS# are related
> >>to BGP security problem.
> >
> >You'll have to elaborate, since their existence is a basic principle in
> >the operation of bgp and they are ubiquitous.
> >
> >Island instances of a distributed ASN communicate with each other by
> >allowing such routes in so that they can be evaluated one the basis of
> >prefix, specificity, AS path length and so forth.
> >
> >>Hence, we want to look for some real cases in
> >>the wild. Could anybody give us some examples of such routes?
More information about the NANOG
mailing list