Any info on devices that are running eBGP on the Internet?

rcompton · November 6, 2019, 6:39pm

Hi, I am working with MANRS (https://www.manrs.org) on a tool for checking router configs for BGP security / spoofing prevention (e.g. uRPF) https://github.com/manrs-tools/MANRS-validator

We are wondering if there is any research on the percentages of different types of devices running BGP on the Internet.

Something like:

Cisco IOS 30%

Junos 30%

Mikrotik 20%

etc…

We are looking to focus our tool on the most prevalent types of devices doing BGP (and the most prevalent with BGP security/spoofing issues) so that we can have the greatest impact. Does anyone have any information on this or know where I can obtain this information? Thanks in advance!

-Rich

Sabri_Berisha · November 7, 2019, 7:08pm

Hi,

What you could consider is asking a few of the major internet exchanges if they’d be so kind to send you a list of MAC addresses seen on their LANs. Based on the MAC you can determine the manufacturer. If you have three or four big ones, you have a decent sample size as most larger networks are on multiple IXes anyway.

If you do compile a list, I’m sure this list would be interested in the results

Owen_DeLong · November 7, 2019, 7:24pm

MAC Addresses may cross into fear of disclosure of private identifying information.

All they really need is the OUI portion of the MAC addresses which is fairly anonymous in terms of identifying anyone specific, yet provides all the needed data.

Owen

Alistair_Mackenzie · November 7, 2019, 7:33pm

LINX has the mac addresses of their LANs public.

https://portal.linx.net/members/list-ip-asn?columns=asn+mac_addresses+short_name+website&lans=&sort=

Edward_Dore · November 7, 2019, 7:58pm

I just grabbed the following from our routers connected to LINX LON1, LINX LON2, LINX Manchester and LONAP (so this data is very UK centric):

557 Cisco Systems, Inc

553 Juniper Networks

51 Routerboard.com

51 Brocade Communications Systems, Inc.

49 Arista Networks

40 Unknown

38 Intel Corporate

36 HUAWEI TECHNOLOGIES CO.,LTD

31 Globalscale Technologies, Inc.

20 Super Micro Computer, Inc.

20 Alcatel-Lucent IPD

15 Nokia

14 Hewlett Packard

10 VMware, Inc.

10 Ubiquiti Networks Inc.

10 Sunrich Technology Limited

10 Extreme Networks, Inc.

7 Dell Inc.

5 IEEE Registration Authority

4 Intel Corporation

4 HotLava Systems, Inc.

3 FireBrick Limited

2 Raspberry Pi Foundation

2 Nexcom International Co., Ltd.

2 Microsoft Corporation

2 Mellanox Technologies, Inc.

2 ICP Electronics Inc.

2 Hewlett Packard Enterprise

2 BSkyB Ltd

1 Xensource, Inc.

1 XEROX CORPORATION

1 Solarflare Communications Inc.

1 SILICOM, LTD.

1 MIX s.r.l.

1 LANNER ELECTRONICS, INC.

1 GIGA-BYTE TECHNOLOGY CO.,LTD.

1 DriveCam Inc

1 DIGITAL EQUIPMENT CORPORATION

1 Agile Systems Inc.

That’s done using https://github.com/bauerj/mac_vendor_lookup to do the MAC lookup against the IEEE OUI list with the “Unknown” entries being anything which doesn’t appear in http://standards-oui.ieee.org/oui.txt (possibly locally administered addresses?).

Hope that’s helpful to someone

Aled_Morris · November 7, 2019, 8:08pm

I just grabbed the following from our routers connected to LINX LON1, LINX LON2, LINX Manchester and LONAP (so this data is very UK centric):

…

1 DIGITAL EQUIPMENT CORPORATION

Kudos to whoever is running the VMS port of BIRD on their VAX-11/780

Aled

Edward_Dore · November 7, 2019, 8:51pm

That would be AS42009 at LINX Manchester.

I presume it’s either something emulating a DEC Tulip Ethernet chip or a fake MAC address (AA:00:00).

Eric_Kuhnke · November 7, 2019, 10:47pm

The OUI prefixes that are Intel, Dell, HP, Supermicro and other x86-64 hardware vendors are almost certainly people running BIRD, FRR or similar on commodity hardware. In which case the actual routing configuration could be almost anything, those just happen to be the PCI-Express NICs in some sort of server platform.

Erik_Sundberg1 · November 8, 2019, 8:55am

Keep in mind that some members on the IX are using a configured mac address instead of the burn in MAC Address on the router’s NIC Card.

We have done this in the past during for multiple reasons so we don’t have to call the IX and wait on them to up date the filters.
-IX Port upgrading in bandwidth. I.E. 1G -> 10G
-Router chassis or card upgrades
-Circuit grooms

This also allows us the flexibility to move the IX port to a difference device in the event of an outage, hardware failure, or other event.

-Erik

Alain_Hebert · November 11, 2019, 3:58pm

Could be a joker mapping his VM to the VAX OUI… I got a few 00:01:de:ad:be:ef.

Sylvain_Baya · November 11, 2019, 6:13pm

Hi all,

Hi, I am working with MANRS (https://www.manrs.org) on a tool for checking router configs for BGP security / spoofing prevention (e.g. uRPF) https://github.com/manrs-tools/MANRS-validator

We are wondering if there is any research on the percentages of different types of devices running BGP on the Internet.

…why not launch a survey ? in collaboration with all the IXPs and the MANRS’s actors
(who have already signed the MANRS Routing Manifesto) ; asking them to provide only three
informations :

•—
• Name (or Real OUI) of the device they are running BGP on ;
• IXP where the device is located ;
• Org’s name (optional)
•—

Shalom,
–sb.