look for BGP routes containing local AS#

Wed Jan 28 13:27:40 UTC 2015

It used to be the case that looped routes didn't even show up as
hidden routes, because Junos discarded them even from Adj-RIB-In,
although this may have changed at some Junos version.

Also, Junos won't even advertise such looped routes to a neighbor with
the same AS by default, so in many cases you won't see it at all if
you are peering with a Juniper unless it is specifically configured to
send these looped routes with advertise-peer-as, or change the AS
number with as-override.

On Wed, Jan 28, 2015 at 05:32:34PM +0800, Song Li wrote:
> Hi Joel,
> 
> It is right that the BGP route containing the local ASN will be
> droped. However, such routes can still be displayed on router. For
> example, you can run "show route hidden terse aspath-regex .*<local
> ASN>.*" on Juniper to check them. We are looking for those routes.
> If you can run the command on your Juniper and find such routes,
> could you please provider them for us?
> 
> Thanks!
> 
> Regards!
> 
> Song
> 
> 在 2015/1/28 16:23, joel jaeggli 写道:
> >On 1/27/15 5:45 AM, Song Li wrote:
> >>Hi everyone,
> >>
> >>Recently I studied the BGP AS path looping problem, and found that in
> >>most cases, the received BGP routes containing local AS# are suspicious.
> >>However, we checked our BGP routing table (AS23910,CERNET2) on juniper
> >>router(show route hidden terse aspath-regex .*23910.* ), and have not
> >>found such routes in Adj-RIB-In.
> >
> >Updates with your AS in the path are discarded as part of loop
> >detection, e.g. they do not become candidate routes.
> >
> >https://tools.ietf.org/html/rfc4271 page 77
> >
> >    If the AS_PATH attribute of a BGP route contains an AS loop, the BGP
> >    route should be excluded from the Phase 2 decision function.  AS loop
> >    detection is done by scanning the full AS path (as specified in the
> >    AS_PATH attribute), and checking that the autonomous system number of
> >    the local system does not appear in the AS path.  Operations of a BGP
> >    speaker that is configured to accept routes with its own autonomous
> >    system number in the AS path are outside the scope of this document.
> >
> >in junos
> >
> >neighbor { ipAddress | ipv6Address | peerGroupName } allowas-in number
> >
> >where number is the number of instances of your AS in the path you're
> >willing to accept will correct that.
> >
> >>We believe that the received BGP routes containing local AS# are related
> >>to BGP security problem.
> >
> >You'll have to elaborate, since their existence is a basic principle in
> >the operation of bgp and they are ubiquitous.
> >
> >Island instances of a distributed ASN communicate with each other by
> >allowing such routes in so that they can be evaluated one the basis of
> >prefix, specificity, AS path length and so forth.
> >
> >>Hence, we want to look for some real cases in
> >>the wild. Could anybody give us some examples of such routes?