to different Autonomous systems.
Is there a central/distributed database somewhere that can tell me
that this particular IP prefix (say x.y.z.w) has been given to foo AS
number?
I tried searching through all the WHOIS records for a domain name. I
get the IP address but i dont get the AS number.
Any clues on how i can get the AS number?
Glen
to different Autonomous systems.
> Is there a central/distributed database somewhere that can tell me
> that this particular IP prefix (say x.y.z.w) has been given to foo AS
> number?
We have archives of much of that information (historical whois), and we've
been working on databasing it, but that's unfunded work, so it's going
slowly. Basically, we get bulk data from the five RIRs, and try to parse
it into a structured database. For the ones like ARIN and LACNIC, that
are coming out of a similar relational database, it's not too difficult
work. For others, it's largely manual.
> I tried searching through all the WHOIS records for a domain name. I
> get the IP address but i dont get the AS number.
> Any clues on how i can get the AS number?
If you just want this for one thing, not lots, you can just track it down
by hand. Check to see if the address space is being announced, and if so,
by what AS. Then check the RIR whois for that AS, and see who it is. If
it's not being announced, start looking through whois for substring
matches against likely bits of the name of the owner of the address space.
-Bill
he might be satisfied with:
mail.pch.net. 86400 IN A 206.220.231.1
:~> host -W 6 -R 10 -t txt 1.231.220.206.asn.routeviews.org
1.231.220.206.asn.routeviews.org text "3856" "206.220.228.0" "22"
which is AS 3856 routing 206.220.228.0/22 ... which contains the /32
above.
to different Autonomous systems.
Is there a central/distributed database somewhere that can tell me
that this particular IP prefix (say x.y.z.w) has been given to foo AS
number?
IP prefixes are not "given" to AS numbers. They are assigned & allocated to organizations that can choose to announce it themselves (in which
case you may search for ASN name with same organization name as who the ip block is is assigned to) or have their ISP announce it (in this
case ISPs often register ip block in RR - may appear in whois.radb.net).
I tried searching through all the WHOIS records for a domain name. I
get the IP address but i dont get the AS number.
Any clues on how i can get the AS number?
I suspect what you're really asking is who is announcing a particular
ip address in BGP. If you want to do it by whois, I recommend this:
whois -h riswhois.ripe.net <ip-address>
* Christopher L. Morrow:
he might be satisfied with:
mail.pch.net. 86400 IN A 206.220.231.1
:~> host -W 6 -R 10 -t txt 1.231.220.206.asn.routeviews.org
1.231.220.206.asn.routeviews.org text "3856" "206.220.228.0" "22"which is AS 3856 routing 206.220.228.0/22 ... which contains the /32
above.
asn.routeviews.org doesn't do longest-prefix matching, so you need a
short Perl script to get the correct ASN, attached below. However,
this is a bit slow thanks to the overhead of loading Net::DNS, see
<http://www.enyo.de/fw/notes/perl-probleme.html> (German).
#!/usr/bin/perl
use warnings;
use strict;
use Net::DNS;
if (@ARGV != 1 && $ARGV[0] !~ /^\d+\.\d+\.\d+\.\d+$/) {
print STDERR "usage: ip2asn A.B.C.D\n";
exit 1;
}
my $suffix = 'asn.routeviews.org';
my $name = join '.', (reverse split /\./, $ARGV[0]), $suffix;
my $res = Net::DNS::Resolver->new;
my $packet = $res->query($name, 'TXT');
my @txt;
@txt = $packet->answer if $packet;
my ($longest_net, $longest_length, $longest_asn);
for my $rr (@txt) {
my ($asn, $net, $length) = $rr->char_str_list;
if ((! defined $longest_length) || $length > $longest_length) {
$longest_net = $net;
$longest_length = $length;
$longest_asn = $asn;
}
}
if (defined $longest_asn && $longest_asn < 64511) {
print "$longest_asn\n";
} else {
print "0\n";
}
to different Autonomous systems.
No. Wrong.
IP addresses are allocated to network providers, or to end-user
networks. The recipient of a block of IP addresses (by direct
allocation/assignment from ARIN or by a PI assignment from some other
registry) can get their provider to announce the block, in which case
the AS number will change any time they change providers, or indeed
they can get several providers to announce parts of the block. Or they
can choose to get an AS number of their own and announce it
themselves. They might announce part of it themselves and have a
provider announce other parts, and so on.
There is no fixed relationship between addresses and ASNs.
> Is there a central/distributed database somewhere that can tell
> me that this particular IP prefix (say x.y.z.w) has been given
> to foo AS number?
To find out what AS is actually announcing a given IP address, the
place to look is in the routing tables themselves, or information
services which draw their data from routing tables.
One such is whois.cymru.com:
% whois -h whois.cymru.com 216.168.0.0
ASN | IP | Name
11697 | 216.168.0.0 | NET-SUPERNEWS - Supernews
Another is the asn.routeviews.org DNS zone:
% host -t txt 0.0.168.216.asn.routeviews.org.
0.0.168.216.asn.routeviews.org text "11697" "216.168.0.0" "19"
Both of these tell you who _IS_ announcing the space, not who _SHOULD
BE_ announcing it.
Routing registries such as RADB tell you another story; they tell you
who _thinks_ that they _should_ be announcing it or allowing it to be
announced. The quality of such data is poor at best; often it is
nonexistent. Never trust the RADB data to be either correct or
complete.
There is currently no fully reliable way for a third party to answer
the question "should AS N be announcing prefix X". The history of
netblock thefts shows that even network providers have a hard time
answering the question "should my customer C be announcing prefix X".
which means host -t txt <ip> will return more than one record, yes? so he
can just scan for the longest length in the return? (I am assuming he's
not putting this into some gianormous automated monstrosity of course)
-Chris
* Christopher L. Morrow:
asn.routeviews.org doesn't do longest-prefix matching, so you need a
short Perl script to get the correct ASN, attached below. However,which means host -t txt <ip> will return more than one record, yes?
Exactly.
so he can just scan for the longest length in the return?
This is what the Perl script does, yes.
> to different Autonomous systems.
> Is there a central/distributed database somewhere that can tell me
> that this particular IP prefix (say x.y.z.w) has been given to foo AS
> number?We have archives of much of that information (historical whois), and we've
been working on databasing it, but that's unfunded work, so it's going
slowly.
I've been doing something similar too with historic whois & routing data with purpose to interrelate it in the database, making it possible
to search by date and by how ip prefix changed. Not very easy because
of amount of data to properly process while keeping track of and creating
cvs-like info in db.
Basically, we get bulk data from the five RIRs, and try to parse
it into a structured database. For the ones like ARIN and LACNIC, that
are coming out of a similar relational database, it's not too difficult
work. For others, it's largely manual.
Its not 100% clear for LACNIC & ARIN either. ARIN & LACNIC do allow for common organization that is a db parent for both ASN and an ip block but there are actually number of organizations with multiple Org IDs and with ASN being under different org (also same same sometimes happens for IPv6 allocations) and cases of organizations buying each and ending up with
multiple ones (but only using one asn) are common.
> Basically, we get bulk data from the five RIRs, and try to parse
> > it into a structured database. For the ones like ARIN and LACNIC, that
> > are coming out of a similar relational database, it's not too difficult
> > work. For others, it's largely manual.
>
> Its not 100% clear for LACNIC & ARIN either. ARIN & LACNIC do allow for
> common organization that is a db parent for both ASN and an ip block but
> there are actually number of organizations with multiple Org IDs and with
> ASN being under different org (also same same sometimes happens for IPv6
> allocations) and cases of organizations buying each and ending up with
> multiple ones (but only using one asn) are common.
Yes, we've got a table of organization-to-OrgID, particularly since one
organization will have different OrgIDs not only within one RIR, but
in different RIRs, even.
My only point was that it's a lot easier to get data back into a database
if it came out of a database in the first place. Then all you have to do
is understand the relationship model between the objects, and understand
what limitations it has and how it maps into one's own superset of that.
-Bill
IP prefixes are NOT allocated to AS numbers, they are allocated to Organizations
just like AS numbers.
Perhaps this is part of why you can't find such a list.
Owen
Prefixes aren't assigned to ASNs. They're assigned to organizations/networks. Those entities may have several ASNs or no ASN of their own. You can see what ASN(s) annnounce what prefixes by looking at BGP.
to different Autonomous systems.
No, but...
Is there a central/distributed database somewhere that can tell me
that this particular IP prefix (say x.y.z.w) has been given to foo AS
number?I tried searching through all the WHOIS records for a domain name. I
get the IP address but i dont get the AS number.
... if you want to know which AS is originating a prefix which covers a particular address right now, you can always use whois.cymru.com:
[halibut:~]$ whois -h whois.cymru.com 203.97.1.241
ASN | IP | Name
4768 | 203.97.1.241 | CLIX-NZ TelstraClear Ltd
[halibut:~]$
Joe
I suggest this should be common across ripe, apnic and
lacnic, Routing Information Service
http://www.ripe.net/ris/riswhois.html
that should help the current situation with services
already in place
-Henry
They're orthoganal, so what you suggest is in fact the status quo.
RIS, Route-Views, and PCH collect and archive routing information for
prefixes and ASNs allocated/assigned from all five RIRs indiscriminately.
-Bill