AT&T carrying rfc1918 on the as7018 backbone?

Brett_Watson · January 22, 2004, 10:21pm

First, yes I know I should call AT&T but I want to know if anyone else sees
this problem:

I have a customer that is multi-homed to AT&T and WCOM. They accept
"default" via BGP from both providers and announce a handful of prefixes to
both providers.

Given that they receive default, it's just the same as if they had a
*static* default to both providers.

The customer installed a "network mapping tool" today and suddenly
discovered they were seeing RFC1918 addresses in the map (hundreds of them)
that were *not* part of the customer's internal network. It turns out that
from what we can tell, insightbb.com (an AT&T sub or customer) is probably
unintentionally leaking 10/8 and AT&T is propogating that across their
network. Since the customer defaults for any "unknown" destination,
they're crossing the AT&T network.

If my customer had been taking full routing, with appropriate filters of
course, they wouldn't be seeing this. But given that they are taking
default, they see it.

So I just wanted to see if anyone that is defaulting to AT&T is seeing this
same problem just to verify that what we're seeing is correct (for my
customer's edification). Yes, I'm calling AT&T now

-b

ken_emery · January 22, 2004, 10:28pm

Yep, they are sending 10.X.X.X routes to customers. From several places
actually, Level3, Comcast (multiple AS's), AT&T, MediaOne, and AccessPoint.

bye,
ken emery

Stephen_Fisher4 · January 22, 2004, 10:37pm

The router at route-server.ip.att.net shows about 25 10.0.0.0/8
prefixes, most showing up over 4 weeks ago.

Matthew_S_Hallacy1 · January 22, 2004, 10:40pm

[snip]

[random destinations chosen, first few hops removed on purpose]

traceroute to 10.150.5.1 (10.150.5.1), 30 hops max, 38 byte packets

4 bic04-p2-0.rosehe1.mn.attbb.net (24.31.2.46) 9.621 ms 12.405 ms 8.635 ms
5 12.118.239.77 (12.118.239.77) 21.055 ms 22.684 ms 17.674 ms
6 tbr1-p012301.cgcil.ip.att.net (12.123.6.9) 21.249 ms 18.653 ms 32.055 ms
7 tbr1-cl1.sffca.ip.att.net (12.122.10.6) 60.504 ms 65.109 ms 63.290 ms
8 gbr1-p10.sffca.ip.att.net (12.122.11.66) 60.401 ms 62.929 ms 59.776 ms
9 gar1-p360.sffca.ip.att.net (12.123.13.57) 60.556 ms 60.769 ms 63.278 ms
10 12.126.195.122 (12.126.195.122) 62.064 ms 60.966 ms 64.617 ms
11 12.244.67.25 (12.244.67.25) 75.027 ms 68.277 ms 66.029 ms
12 12.244.67.21 (12.244.67.21) 66.410 ms 67.539 ms 67.902 ms
13 12.244.98.215 (12.244.98.215) 68.285 ms 69.883 ms 83.187 ms
14 10.150.5.1 (10.150.5.1) 72.288 ms 72.797 ms 70.952 ms

traceroute to 10.240.0.1 (10.240.0.1), 30 hops max, 38 byte packets

4 bic04-p2-0.rosehe1.mn.attbb.net (24.31.2.46) 12.024 ms 9.476 ms 9.918 ms
5 12.118.239.77 (12.118.239.77) 30.056 ms 20.397 ms 17.087 ms
6 tbr2-p012301.cgcil.ip.att.net (12.123.6.13) 19.700 ms 36.509 ms 20.223 ms
7 tbr2-cl7.sl9mo.ip.att.net (12.122.10.46) 27.903 ms 37.704 ms 24.727 ms
8 tbr2-cl6.dlstx.ip.att.net (12.122.10.90) 39.469 ms 39.656 ms 39.857 ms
9 tbr1-p013601.dlstx.ip.att.net (12.122.9.161) 39.150 ms 41.235 ms 38.007 ms
10 tbr2-cl1.attga.ip.att.net (12.122.2.90) 59.744 ms 58.258 ms 58.824 ms
11 gbr2-p20.attga.ip.att.net (12.122.12.38) 56.180 ms 62.450 ms 55.442 ms
12 gar1-p370.attga.ip.att.net (12.123.21.5) 74.746 ms 59.692 ms 57.531 ms
13 12.244.72.90 (12.244.72.90) 60.589 ms 62.514 ms 60.926 ms
14 c-66-56-66-73.atl.client2.attbi.com (66.56.66.73) 57.664 ms

ATTBB (Now Comcast) uses ATT.net for connectivity, Comcast has to reach
all their cable modems across the USA from their outsourced tech support
centers, thus, att.net routes 10/8 across their network.

ken_emery · January 22, 2004, 10:46pm

<snip>

ATTBB (Now Comcast) uses ATT.net for connectivity, Comcast has to reach
all their cable modems across the USA from their outsourced tech support
centers, thus, att.net routes 10/8 across their network.

Okay, that's fine. However why are there routes from Level3? Also
I'm not Comcast so why am I seeing the routes? Also if Comcast needs
this they should be paying for a tunnel over AT&T network (like the
rest of us would have to do).

bye,
ken emery

Chris_Adams3 · January 22, 2004, 10:48pm

Once upon a time, Stephen Fisher <stephentfisher@yahoo.com> said:

The router at route-server.ip.att.net shows about 25 10.0.0.0/8
prefixes, most showing up over 4 weeks ago.

They do not appear to be announcing those routes to customers however
(at least not this customer), but setting a static route pointing at our
AT&T link does show that they will route 10.0.0.0/8 traffic (at least a
few random IPs I tried).

Brett_Watson · January 22, 2004, 10:53pm

The router at route-server.ip.att.net shows about 25 10.0.0.0/8
prefixes, most showing up over 4 weeks ago.

Odd. I didn't see this when looking at at&t's looking glass via web
browser. I was looking for some smaller prefixes though and didn't just
look for 10/8 :-/

-b

Matt_Levine · January 22, 2004, 11:05pm

The router at route-server.ip.att.net shows about 25 10.0.0.0/8
prefixes, most showing up over 4 weeks ago.

Odd. I didn't see this when looking at at&t's looking glass via web
browser. I was looking for some smaller prefixes though and didn't just
look for 10/8 :-/

show ip bgp 10.0.0.0/8 longer-prefixes

is your friend in this case.

ken_emery · January 22, 2004, 11:19pm

Btw, I was wrong in saying Level3 was one of the sources. They are
announcing 8/8 which was just above the 10.X announcements. I was
off by a line. Sorry if this caused any confusion.

Btw, the announcements we are seeing are sized from /12 to /24.

bye,
ken emery

Sean_Donelan · January 22, 2004, 11:30pm

RFC1918 addresses are unpredictable on any network other than your own.
You shouldn't make assumptions about them. Anyone may use them for any
purpose on their network. If you send packets into their network using
RFC1918 addresses, you get whatever you get. If you require certaintity
its up to you to impose your policy at your edge.

Does sending packets to RFC1918 addresses on other networks meet the "be
conservative in what you send" credo?

Brett_Watson · January 23, 2004, 12:02am

RFC1918 addresses are unpredictable on any network other than your own.
You shouldn't make assumptions about them. Anyone may use them for any
purpose on their network. If you send packets into their network using
RFC1918 addresses, you get whatever you get. If you require certaintity
its up to you to impose your policy at your edge.

Does sending packets to RFC1918 addresses on other networks meet the "be
conservative in what you send" credo?

I understand all that. We're working with the customer to harden the border
(ACLs) and possibly take a bogon feed, etc. I was just having a hard time
believing AT&T was leaking 10/8 and that any other large provider was
accepting it so wanted to verify.

-b

Tomas_Lund · January 23, 2004, 1:41am

Wasn't it established that they did infact not leak it but just routed it
inside their own network?

//tlund

Brett_Watson · January 23, 2004, 3:19am

Wasn't it established that they did infact not leak it but just routed it
inside their own network?

Sorry, shouldn't have said "leaked".

ken_emery · January 23, 2004, 7:52am

This is not true. I am attached to 7018 and we saw 10/X routes. We
are not AT&T.

bye,
ken emery