AS4134/AS4847 - Appear to be hijacking some ip space.

Louie Lee louiel at google.com
Fri Apr 5 18:44:31 UTC 2019


Hey folks,

I'm on it for solving both immediate issue and long term "fix".

Louie
-- 

Louie Lee, 李景雲

Peering Coordinator (AS16591 <https://as16591.peeringdb.com/>)

Network Capacity Manager

IP Numbers Administrator

Google Fiber

louiel at google.com

(650) 253-2847

*There are 10 types of people in the world: Those who understand binary,
and those who don't.*


On Fri, Apr 5, 2019 at 11:17 AM Christopher Morrow <morrowc.lists at gmail.com>
wrote:

> On Fri, Apr 5, 2019 at 12:29 PM Jay Borkenhagen <jayb at att.com> wrote:
> >
> > Hi Chris,
>
> yes!
>
> > It would be great if the Google Fiber / AS16591 folks could publish a
> > ROA in ARIN's hosted RPKI authorizing exactly 136.32.0.0/11 to be
> > originated only in AS16591.  That ROA would have addressed this matter
> > from AS7018's point of view.
> >
>
> ok, cool. This is sort of on my plate, at least from the internal
> viz/evangelizing perspective, and I'll go spend time chatting up the
> folk in fiber-land.
> having a: "See, doing this would prevent this" is helpful.
>
> > In the interim, I have added a temporary whitelist (slurm) entry into
> > our RPKI caches, causing the AS7018 network to disregard the
> > more-specific /24s under 136.32.0.0/11.
>
> thanks!
>
> > Good luck.
> >                                                 Jay B.
> >
> >
> > Christopher Morrow writes:
> >  > Howdy gentle folks:
> >  >
> >  > It looks like AS4847 - "China Networks Inter-Exchange"
> >  >
> >  > Is taking some time to announce reachability for at least:
> >  >   136.38.33.0/24
> >  >
> >  > which they ought not, given that this /24 is part of a /11 assigned to
> >  > AS16591 (google fiber)... Looking at routeviews data, I see the
> >  > following as-paths for this one /24:
> >  > $ grep -A1 Refresh /tmp/x | grep 4847
> >  >   1239 174 4134 4847
> >  >   3549 3356 174 4134 4847
> >  >   701 174 4134 4847
> >  >   4901 6079 3257 4134 4847
> >  >   20912 174 4134 4847
> >  >   1221 4637 4134 4847
> >  >   1351 11164 4134 4847
> >  >   6079 1299 4134 4847
> >  >   6079 3257 4134 4847
> >  >   7018 4134 4847
> >  >   6939 1299 4134 4847
> >  >   3561 209 4134 4847
> >  >   3303 4134 4847
> >  >   3277 39710 9002 4134 4847
> >  >   2497 4134 4847
> >  >   4826 1299 4134 4847
> >  >   54728 20130 23352 2914 4134 4847
> >  >   19214 3257 4134 4847
> >  >   101 101 11164 4134 4847
> >  >   1403 6453 4134 4847
> >  >   852 6453 4134 4847
> >  >   1403 6453 4134 4847
> >  >   286 4134 4847
> >  >   3333 1273 4134 4847
> >  >   57866 3491 4134 4847
> >  >   3267 1299 4134 4847
> >  >   49788 174 4134 4847
> >  >   53767 3257 4134 4847
> >  >   53364 3257 4134 4847
> >  >   8283 57866 3491 4134 4847
> >  >   7660 2516 4134 4847
> >  >
> >  > >From that I think the following AS should have filtered this prefix
> and are not:
> >  > $ grep -A1 Refresh /tmp/x | grep 4847 | sed 's/ 4134 4847//' | awk
> >  > '{print $NF}' | sort -n | uniq
> >  >
> >  > 174  - Cogent
> >  > 209 - Qwest
> >  > 286 - KPN
> >  > 1273 - Vodafone
> >  > 1299 - Telia
> >  > 2497 - IIJ
> >  > 2516 - KDDI
> >  > 2914 - NTT
> >  > 3257 - GTT
> >  > 3303 - Swisscom
> >  > 3491 - PCCW
> >  > 4637 - Telstra
> >  > 6453 - TATA
> >  > 7018 - ATT
> >  > 9002 - RETN
> >  > 11164 - Internet2
> >  >
> >  > It'd be great if the listed folk could filter AS4134 :)
> >  >
> >  > -Chris
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20190405/5cbead32/attachment.html>


More information about the NANOG mailing list