Unexplainable router log entries mentioning IPSEC from Yahoo IPs

• Previous message (by thread): All the latest NANOG News 👉 N80 Hackathon registration, new stories, and more!
• Next message (by thread): Unexplainable router log entries mentioning IPSEC from Yahoo IPs
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Curious if someone can point me in the right direction. In the last three
days our core router (Cisco 7609) has logged the following events:

Dec 16 19:04:59.027 CST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC
packet has invalid spi for destaddr=<redacted>, prot=50,
spi=0xEF7ED795(4018067349), srcaddr=68.180.160.18, input interface=Vlan20
Dec 16 20:41:47.822 CST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC
packet has invalid spi for destaddr=<redacted>, prot=50,
spi=0xEF7ED795(4018067349), srcaddr=203.84.212.18, input interface=Vlan20
Dec 16 21:28:12.667 CST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC
packet has invalid spi for destaddr=<redacted>, prot=50,
spi=0xEF7ED795(4018067349), srcaddr=68.180.160.36, input interface=Vlan21
Dec 16 22:22:40.558 CST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC
packet has invalid spi for destaddr=<redacted>, prot=50,
spi=0xEF7ED795(4018067349), srcaddr=68.180.160.104, input interface=Vlan21
Dec 16 22:42:17.404 CST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC
packet has invalid spi for destaddr=<redacted>, prot=50,
spi=0xEF7ED795(4018067349), srcaddr=68.180.160.104, input interface=Vlan20
Dec 17 00:04:34.704 CST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC
packet has invalid spi for destaddr=<redacted>, prot=50,
spi=0xEF7ED795(4018067349), srcaddr=68.180.160.34, input interface=Vlan21
Dec 17 00:05:41.656 CST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC
packet has invalid spi for destaddr=<redacted>, prot=50,
spi=0xEF7ED795(4018067349), srcaddr=68.180.160.103, input interface=Vlan20
Dec 17 08:54:29.583 CST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC
packet has invalid spi for destaddr=<redacted>, prot=50,
spi=0x4CF4BE5D(1291107933), srcaddr=68.180.160.104, input interface=Vlan21
Dec 17 09:20:31.881 CST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC
packet has invalid spi for destaddr=<redacted>, prot=50,
spi=0x4CF4BE5D(1291107933), srcaddr=68.180.160.37, input interface=Vlan21
Dec 17 19:45:29.615 CST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC
packet has invalid spi for destaddr=<redacted>, prot=50,
spi=0x4CF4BE5D(1291107933), srcaddr=203.84.212.36, input interface=Vlan20
Dec 17 19:59:52.663 CST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC
packet has invalid spi for destaddr=<redacted>, prot=50,
spi=0x4CF4BE5D(1291107933), srcaddr=203.84.212.24, input interface=Vlan20
Dec 17 23:20:02.869 CST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC
packet has invalid spi for destaddr=<redacted>, prot=50,
spi=0x4CF4BE5D(1291107933), srcaddr=68.180.160.99, input interface=Vlan21
Dec 18 00:15:19.536 CST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC
packet has invalid spi for destaddr=<redacted>, prot=50,
spi=0x4CF4BE5D(1291107933), srcaddr=203.84.212.53, input interface=Vlan21
Dec 18 00:43:00.158 CST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC
packet has invalid spi for destaddr=<redacted>, prot=50,
spi=0x4CF4BE5D(1291107933), srcaddr=68.180.160.101, input interface=Vlan20
Dec 18 00:44:52.018 CST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC
packet has invalid spi for destaddr=<redacted>, prot=50,
spi=0x4CF4BE5D(1291107933), srcaddr=68.180.160.100, input interface=Vlan21


All the destination IP addresses are in one of two categories:
- router interface
- inactive IP (no ARP entry)

Vlans 20 and 21 are the Vlans facing our two edge/border routers.

If I do a PTR lookup of each source IP, they're all some kind of
cryptographic server in Yahoo's network:

203.84.212.18|18.212.84.203.in-addr.arpa domain name pointer
lo301.cry1.sg3.yahoo.com.
203.84.212.24|24.212.84.203.in-addr.arpa domain name pointer
lo303.cry2.sg3.yahoo.com.
203.84.212.36|36.212.84.203.in-addr.arpa domain name pointer
lo303.cry1.tw1.yahoo.com.
203.84.212.53|53.212.84.203.in-addr.arpa domain name pointer
lo300.cry2.tp2.yahoo.com.
68.180.160.100|100.160.180.68.in-addr.arpa domain name pointer
lo303.cry1.md2.yahoo.com.
68.180.160.101|101.160.180.68.in-addr.arpa domain name pointer
lo300.cry2.md2.yahoo.com.
68.180.160.103|103.160.180.68.in-addr.arpa domain name pointer
lo302.cry2.md2.yahoo.com.
68.180.160.104|104.160.180.68.in-addr.arpa domain name pointer
lo303.cry2.md2.yahoo.com.
68.180.160.18|18.160.180.68.in-addr.arpa domain name pointer
lo301.cry1.ne1.yahoo.com.
68.180.160.34|34.160.180.68.in-addr.arpa domain name pointer
lo301.cry1.bf1.yahoo.com.
68.180.160.36|36.160.180.68.in-addr.arpa domain name pointer
lo303.cry1.bf1.yahoo.com.
68.180.160.37|37.160.180.68.in-addr.arpa domain name pointer
lo300.cry2.bf1.yahoo.com.
68.180.160.99|99.160.180.68.in-addr.arpa domain name pointer
lo302.cry1.md2.yahoo.com.

Any idea what's going on here?  It's as if our 7600 is inspecting this
traffic (presumably because it's not transit, it's being processed by the
CPU) and seeing something special about it. Even if the router is not
behaving correctly, why is Yahoo sending that kind of traffic to those IPs?

Frank
AS53347

• Previous message (by thread): All the latest NANOG News 👉 N80 Hackathon registration, new stories, and more!
• Next message (by thread): Unexplainable router log entries mentioning IPSEC from Yahoo IPs
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]