IPv4 Subnet 23.151.232.0/24 blackholed?

Neel_Chauhan · April 26, 2023, 2:35am

Hi,

I recently got the IPv4 allocation 23.151.232.0/24 from ARIN. I also had my hosting company ReliableSite announce it to the internet.

Right now, I can only access networks that peer with ReliableSite via internet exchanges, such as Google, CloudFlare, OVH, Hurricane Electric, et al.

It seems the Tier 1 ISPs (e.g. Lumen, Cogent, AT&T, et al.) are blackholing the IPv4 subnet 23.151.232.0/24. Could someone who works at a Tier 1 NOC please check and remove the blackhole if any exists?

Normally when ReliableSite announced my prior (then-leased) IPv4 space it gets propagated via BGP almost immediately. This time it's not going through at all.

Best,

Neel Chauhan

mrhamel · April 26, 2023, 2:49am

Neel,

Carriers rebuild their prefixes lists once or twice in a 24 hour period. Considering that you just got the block today and is in ReliableSite's AS-SET, you just got to be patient.

Having announcements propagated immediately either sounds like it happened a day after you gave them the LOA, or they have unfiltered transit circuits, which is worrisome.

Ryan

From "Neel Chauhan" <neel@neelc.org>
To nanog@nanog.org
Date 4/25/2023 7:35:40 PM
Subject IPv4 Subnet 23.151.232.0/24 blackholed?

Jon_Lewis1 · April 26, 2023, 2:52am

You need to talk to ReliableSite and have them talk to their transits about accepting 23.151.232.0/24.

I see that you did create a route object...

route: 23.151.232.0/24
origin: AS23470
descr: Qeru Systems, LLC
mnt-by: MAINT-AS23470
changed: jcid@reliablesite.net 20230425 #01:09:36Z
source: RADB

but I'd dump RADB and create this object in the authoratative IRR, in this case ARIN's rr.arin.net. At least some "Tier 1's" no longer honor route objects from non-authoratative IRRs when building prefix-list filters for their customers BGP sessions.

I'm not receiving your route, and route-views doesn't see it either.

Mailman · April 26, 2023, 2:54am

The range has only been announced for 2 hours. Just wait longer for filters to refresh as Ryan advised.

Travis_Garrison · April 26, 2023, 11:33am

We are able to see your range from Cogent and Hurricane Electric now. Just took time

Routes For: 23.151.232.0/24

Timestamp: 2023-04-26 11:27:07 UTC

Prefix: 23.151.232.0/24
RPKI State: Not Verified
AS Path: 6939 → 23470 → 23470 → 23470 → 23470
Next Hop: 184.105.58.113
Weight: 170
Local Preference: 100
MED: 0
Communities:
Originator:
Peer: 216.218.253.50
Age: 6 hours (Wed, 26 Apr 2023 05:01:41 UTC)
Prefix: 23.151.232.0/24
RPKI State: Not Verified
AS Path: 6939 → 23470 → 23470 → 23470 → 23470
Next Hop: 184.105.92.241
Weight: 170
Local Preference: 100
MED: 0
Communities:
Originator:
Peer: 100.78.0.6
Age: 6 hours (Wed, 26 Apr 2023 05:01:39 UTC)
Prefix: 23.151.232.0/24
RPKI State: Not Verified
AS Path: 174 → 3257 → 23470 → 23470 → 23470 → 23470
Next Hop: 38.140.137.161
Weight: 170
Local Preference: 100
MED: 10020
Communities:
174:21000
174:22013
Originator:
Peer: 66.28.1.16
Age: 3 hours (Wed, 26 Apr 2023 08:57:05 UTC)

Thanks

Travis

Mark_Tinka4 · April 26, 2023, 12:54pm

You’re welcome to use our looking glasses which over Europe and Africa:

https://as37100.net/

But so far, we are seeing this in AMS:

BGP routing table entry for 23.151.232.0/24, version 2411923092
Paths: (2 available, best #2, table default)
Not advertised to any peer
Refresh Epoch 1
37100 3257 23470 23470 23470 23470
105.26.64.17 from 105.26.64.17 (105.16.0.131)
Origin IGP, metric 0, localpref 100, valid, external
Community: 37100:1 37100:13
path 211B5070 RPKI State not found
rx pathid: 0, tx pathid: 0
Refresh Epoch 1
37100 3257 23470 23470 23470 23470
105.26.64.1 from 105.26.64.1 (105.16.0.131)
Origin IGP, metric 0, localpref 100, valid, external, best
Community: 37100:1 37100:13
path 211B6A5C RPKI State not found
rx pathid: 0, tx pathid: 0x0

And in JNB:

BGP routing table entry for 23.151.232.0/24, version 1526622268
Paths: (2 available, best #2, table default)
Not advertised to any peer
Refresh Epoch 1
37100 3257 23470 23470 23470 23470
105.22.32.1 from 105.22.32.1 (105.16.0.163)
Origin IGP, metric 0, localpref 100, valid, external
Community: 37100:1 37100:13
path 44E5427C RPKI State not found
rx pathid: 0, tx pathid: 0
Refresh Epoch 1
37100 3257 23470 23470 23470 23470
105.22.40.1 from 105.22.40.1 (105.16.0.162)
Origin IGP, metric 0, localpref 100, valid, external, best
Community: 37100:1 37100:13
path 44E60E94 RPKI State not found
rx pathid: 0, tx pathid: 0x0

Mark.

Jon_Lewis1 · April 26, 2023, 12:59pm

Now this is kind of interesting. I see route-views can see the route now...

BGP routing table entry for 23.151.232.0/24, version 2814701286
Paths: (19 available, best #19, table default)
   Not advertised to any peer
   Refresh Epoch 1
   3333 1257 6453 23470 23470 23470 23470
     193.0.0.56 from 193.0.0.56 (193.0.0.56)
       Origin IGP, localpref 100, valid, external
       Community: 1257:50 1257:51 1257:3528 1257:4103
       path 7FE0DBA20378 RPKI State not found
       rx pathid: 0, tx pathid: 0
   Refresh Epoch 1
...

The only IRR route object I see for it is

route: 23.151.232.0/24
origin: AS23470
descr: Qeru Systems, LLC
mnt-by: MAINT-AS23470
changed: jcid@reliablesite.net 20230425 #01:09:36Z
source: RADB
rpki-ov-state: not_found # No ROAs found, or RPKI validation not enabled for source

and there appears to be no ROA.

According to TATA Communications Customer BGP Filter Update Policy for IP Transit, I would not have expected Tata to accept this route from RELIABLESITE (not based on the above route object), unless Tata is not using an IRR-based auto-generated prefix-list filter for RELIABLESITE, but rather a manually edited one.