Unexplainable router log entries mentioning IPSEC from Yahoo IPs

• Previous message (by thread): Unexplainable router log entries mentioning IPSEC from Yahoo IPs
• Next message (by thread): Unexplainable router log entries mentioning IPSEC from Yahoo IPs
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Frank-

I'll contact you directly about this.

On Fri, Dec 18, 2020 at 1:20 PM Frank Bulk <frnkblk at iname.com> wrote:

> Curious if someone can point me in the right direction. In the last three
> days our core router (Cisco 7609) has logged the following events:
>
> Dec 16 19:04:59.027 CST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC
> packet has invalid spi for destaddr=<redacted>, prot=50,
> spi=0xEF7ED795(4018067349), srcaddr=68.180.160.18, input interface=Vlan20
> Dec 16 20:41:47.822 CST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC
> packet has invalid spi for destaddr=<redacted>, prot=50,
> spi=0xEF7ED795(4018067349), srcaddr=203.84.212.18, input interface=Vlan20
> Dec 16 21:28:12.667 CST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC
> packet has invalid spi for destaddr=<redacted>, prot=50,
> spi=0xEF7ED795(4018067349), srcaddr=68.180.160.36, input interface=Vlan21
> Dec 16 22:22:40.558 CST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC
> packet has invalid spi for destaddr=<redacted>, prot=50,
> spi=0xEF7ED795(4018067349), srcaddr=68.180.160.104, input interface=Vlan21
> Dec 16 22:42:17.404 CST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC
> packet has invalid spi for destaddr=<redacted>, prot=50,
> spi=0xEF7ED795(4018067349), srcaddr=68.180.160.104, input interface=Vlan20
> Dec 17 00:04:34.704 CST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC
> packet has invalid spi for destaddr=<redacted>, prot=50,
> spi=0xEF7ED795(4018067349), srcaddr=68.180.160.34, input interface=Vlan21
> Dec 17 00:05:41.656 CST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC
> packet has invalid spi for destaddr=<redacted>, prot=50,
> spi=0xEF7ED795(4018067349), srcaddr=68.180.160.103, input interface=Vlan20
> Dec 17 08:54:29.583 CST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC
> packet has invalid spi for destaddr=<redacted>, prot=50,
> spi=0x4CF4BE5D(1291107933), srcaddr=68.180.160.104, input interface=Vlan21
> Dec 17 09:20:31.881 CST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC
> packet has invalid spi for destaddr=<redacted>, prot=50,
> spi=0x4CF4BE5D(1291107933), srcaddr=68.180.160.37, input interface=Vlan21
> Dec 17 19:45:29.615 CST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC
> packet has invalid spi for destaddr=<redacted>, prot=50,
> spi=0x4CF4BE5D(1291107933), srcaddr=203.84.212.36, input interface=Vlan20
> Dec 17 19:59:52.663 CST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC
> packet has invalid spi for destaddr=<redacted>, prot=50,
> spi=0x4CF4BE5D(1291107933), srcaddr=203.84.212.24, input interface=Vlan20
> Dec 17 23:20:02.869 CST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC
> packet has invalid spi for destaddr=<redacted>, prot=50,
> spi=0x4CF4BE5D(1291107933), srcaddr=68.180.160.99, input interface=Vlan21
> Dec 18 00:15:19.536 CST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC
> packet has invalid spi for destaddr=<redacted>, prot=50,
> spi=0x4CF4BE5D(1291107933), srcaddr=203.84.212.53, input interface=Vlan21
> Dec 18 00:43:00.158 CST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC
> packet has invalid spi for destaddr=<redacted>, prot=50,
> spi=0x4CF4BE5D(1291107933), srcaddr=68.180.160.101, input interface=Vlan20
> Dec 18 00:44:52.018 CST: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC
> packet has invalid spi for destaddr=<redacted>, prot=50,
> spi=0x4CF4BE5D(1291107933), srcaddr=68.180.160.100, input interface=Vlan21
>
>
> All the destination IP addresses are in one of two categories:
> - router interface
> - inactive IP (no ARP entry)
>
> Vlans 20 and 21 are the Vlans facing our two edge/border routers.
>
> If I do a PTR lookup of each source IP, they're all some kind of
> cryptographic server in Yahoo's network:
>
> 203.84.212.18|18.212.84.203.in-addr.arpa domain name pointer
> lo301.cry1.sg3.yahoo.com.
> 203.84.212.24|24.212.84.203.in-addr.arpa domain name pointer
> lo303.cry2.sg3.yahoo.com.
> 203.84.212.36|36.212.84.203.in-addr.arpa domain name pointer
> lo303.cry1.tw1.yahoo.com.
> 203.84.212.53|53.212.84.203.in-addr.arpa domain name pointer
> lo300.cry2.tp2.yahoo.com.
> 68.180.160.100|100.160.180.68.in-addr.arpa domain name pointer
> lo303.cry1.md2.yahoo.com.
> 68.180.160.101|101.160.180.68.in-addr.arpa domain name pointer
> lo300.cry2.md2.yahoo.com.
> 68.180.160.103|103.160.180.68.in-addr.arpa domain name pointer
> lo302.cry2.md2.yahoo.com.
> 68.180.160.104|104.160.180.68.in-addr.arpa domain name pointer
> lo303.cry2.md2.yahoo.com.
> 68.180.160.18|18.160.180.68.in-addr.arpa domain name pointer
> lo301.cry1.ne1.yahoo.com.
> 68.180.160.34|34.160.180.68.in-addr.arpa domain name pointer
> lo301.cry1.bf1.yahoo.com.
> 68.180.160.36|36.160.180.68.in-addr.arpa domain name pointer
> lo303.cry1.bf1.yahoo.com.
> 68.180.160.37|37.160.180.68.in-addr.arpa domain name pointer
> lo300.cry2.bf1.yahoo.com.
> 68.180.160.99|99.160.180.68.in-addr.arpa domain name pointer
> lo302.cry1.md2.yahoo.com.
>
> Any idea what's going on here?  It's as if our 7600 is inspecting this
> traffic (presumably because it's not transit, it's being processed by the
> CPU) and seeing something special about it. Even if the router is not
> behaving correctly, why is Yahoo sending that kind of traffic to those IPs?
>
> Frank
> AS53347
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20201218/b75ddf45/attachment.html>

• Previous message (by thread): Unexplainable router log entries mentioning IPSEC from Yahoo IPs
• Next message (by thread): Unexplainable router log entries mentioning IPSEC from Yahoo IPs
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]