Hi all.
Anyone know anything about this AS:
Mark.
Hi Mark,
Anyone know anything about this AS:
AS327933 - bgp.he.net
from a 2019 DB snapshot:
aut-num: AS327933
as-name: GROUPE-TELECOM-SPRL
descr: GROUPE TELECOM SPRL
status: ASSIGNED
org: ORG-GTS2-AFRINIC
admin-c: YM8-AFRINIC
tech-c: YM9-AFRINIC
notify: ***@gtl-rdcongo.com
mnt-lower: GTS2-MNT
mnt-routes: GTS2-MNT
mnt-by: AFRINIC-HM-MNT
changed: ***@afrinic.net 20150917
source: AFRINIC
I think the most common way to get out of this DB is to not pay something.
I'd guess that
aut-num: AS37451
as-name: CongoTelecom
descr: CONGO TELECOM
has a relationship with them and AS327933 wanted to prepend 2x [1] to their sole provider..... (AS37451)
Frank
[1]
Hi all.
Hi Mark,
Anyone know anything about this AS:
I know someone you might know them. Happy to introduce off-list.
Mark.
Cheers.
Darwin-.
We are seeing some weird routing from them, and the AS2 they are attached to (University of Delaware) seems odd.
Not sure if any of the American folk on this list can verify AS2 is really part of the University of Delaware...
Mark.
Yes, Darwin. That would be most appreciated. Thanks.
Mark.
ouch!
I see in your LG that this AS 2 is originating 197.157.254.0/24 .
which seems to mean that it's not just a plain "we want to prepend 2 times, put the number 2 into config and the NOS takes this as the ASN to insert"
putting someone from AS37451 into BCC.
ouch again!
looking for "show ip bgp regexp _37451 2_" in Mark's LG, i see there are many originated and downstream's prefixes of AS37451 affected.
So i'd now thing it's a AS37451 issue, not AS327933 alone.
Frank
ouch!
I see in your LG that this AS 2 is originating 197.157.254.0/24 .which seems to mean that it's not just a plain "we want to prepend 2 times, put the number 2 into config and the NOS takes this as the ASN to insert"
putting someone from AS37451 into BCC.
ouch again!
looking for "show ip bgp regexp _37451 2_" in Mark's LG, i see there are many originated and downstream's prefixes of AS37451 affected.
Right, these are the "odd" issues I am referring to that we are looking into.
So i'd now thing it's a AS37451 issue, not AS327933 alone.
Needless to say that the grapevine seems to claim that AS327933 is announcing bogons.
We are reaching out to our customer (China Telecom) who is their provider to investigate.
Thanks, Frank.
Mark.
AS2 is the most hijacked prefix in the world. Yes UD still owns it,
but since different router vendors use different methods of prepending
AS numbers, many folks try to prepend twice and end up announcing
on AS2..
thanks
mike
We are seeing some weird routing from them, and the AS2 they are
attached to (University of Delaware) seems odd.
classic microtik prepend syntax confusion?
randy
Uncertain. I have a Mikrotik CPE for my home router, but I can't tell you how BGP works on it.
It seems that AS2, in the path, is not genuine. We are verifying that, though.
Mark.
Haha 
you are right.
I just checked Caida AS ranking:
http://as-rank.uu3.net/?as=2
A lot of "providers" for UDEL-DCN. Yeah right..
They all indeed probably try to prepend their AS 2 times
ending up having ASN 2 in path.
Did I miss the memo where vendors went from explicitly defining the AS multiple times to determine the number of prepends, to, this :-)?
Mark.
yep, sure did. Check out the "set-bgp-prepend" action on routeros - it's right next to "set-bgp-prepend-path".
https://wiki.mikrotik.com/wiki/Manual:Routing/Routing_filters
<watches Mark's face as it dawns on him why this happens so regularly>
Nick
So how would one fumble it to the degree where a fat-finger results in what should be a prepend becoming an AS_PATH?
Genuine question - I have zero experience with Mikrotik in an SP role.
Mark.
If your asn is 327933, then:
add chain=foo prefix=192.0.2.0/24 action=accept set-bgp-prepend=2
... will produce: "327933 327933", and:
add chain=foo prefix=192.0.2.0/24 action=accept set-bgp-prepend-path=2
... will produce: "327933 2".
Routeros does command completion on the CLI, so this is finger-slip territory, and the two commands are visually similarly enough to each other that it would be easy not to notice.
Nick
It is not terribly clever of Mikrotik to have two commands that do different things be that close in syntax.
That said, why are we giving the routers the ability to manually generate AS_PATH's? On any router OS, this is simply asking for it.
Mark.
It is not terribly clever of Mikrotik to have two commands that do different things be that close in syntax.
no, indeed.
That said, why are we giving the routers the ability to manually generate AS_PATH's? On any router OS, this is simply asking for it.
bgp is a policy based distance vector protocol. If you can't adjust the primary inter-domain metric to handle your policy requirements, it's not much use.
Nick
In other news, Mikrotik users at that ASN are discovering that 327,933 prepends may be a bit excessive.
I am not talking about appending one's own AS in the AS_PATH. I am talking about appending someone else's AS in the AS_PATH.
To be fair, I have never had to do that, since I've always thought it would be considered bad form. But I suspect that on the simple BGP mechanics of it, no vendor would be able to prevent that in any meaningful way.
Then again, path hijacking likely wasn't a thought at the time the Border Gateway Protocol was being conceived.
Mark.
BGP was indeed designed in an era when trust was implicit. Introducing ASPA to sign a cryptographic list of authorized providers steps in the right direction. By validating both AS_PATH and route origin, the chances of BGP hijack and misconfigurations can be substantially reduced.