Hi everyone,
I found many ISP announced bogon prefix, for example:
OriginAS Announcement Description
AS7018 172.116.0.0/24 unallocated
AS209 209.193.112.0/20 unallocated
my question is why the tier1 and other ISP announce these unallocated bogon prefixes, and another interesting question is:
If I am ISP, can I announce the same bogon prefix(172.116.0.0/24) with AS7018 announced? Will this result in prefix hijacking?
Thanks!
Hi everyone,
I found many ISP announced bogon prefix, for example:
sad, right?
OriginAS Announcement Description
AS7018 172.116.0.0/24 unallocated
AS209 209.193.112.0/20 unallocatedmy question is why the tier1 and other ISP announce these unallocated bogon
OSS is hard.
prefixes, and another interesting question is:
If I am ISP, can I announce the same bogon prefix(172.116.0.0/24) with
AS7018 announced? Will this result in prefix hijacking?
technically you are probably hijacking a hijack 
or something like that.
Hi everyone,
I found many ISP announced bogon prefix, for example:
OriginAS Announcement Description
AS7018 172.116.0.0/24 unallocated
AS209 209.193.112.0/20 unallocatedmy question is why the tier1 and other ISP announce these unallocated bogon prefixes, and another interesting question is:
You could also ask why are other providers accepting the route, since I could announce 209.193.112.0/20 from my router and my upstream would reject it.
Of course, those two ASNs have a huge number of routes so they probably aren't filtered as closely by their peers.
But.. even if you're hyper diligent and blocking bogon routes, you'll need to ask yourself why it's not in the bogon list:
curl -s http://www.team-cymru.org/Services/Bogons/fullbogons-ipv4.txt | grep 209.193
It's also not on http://www.cymru.com/BGP/bogons.html but 172.116.0.0/24 is.
Now, according to this:
http://myip.ms/view/ip_addresses/3519115264/209.193.112.0_209.193.112.255
It belongs to the Franciscan Health System. The one IP that is in DNS seems to back this up (it's called mercyvpn.org)
Whois Record created: 04 Jan 2005
Whois Record updated: 24 Feb 2012
My guess is one of two things. Maybe they renumbered out of the /20 but left a VPN server up and haven't managed to migrate off it yet, but they have asked to return the block.. or, they forgot to pay their bill to ARIN and the block has been removed from whois but Qwest isn't as diligent because they're still being paid.
I've CC'd the technical contact listed in the old whois information so maybe he can get things corrected.
If I am ISP, can I announce the same bogon prefix(172.116.0.0/24) with AS7018 announced? Will this result in prefix hijacking?
Thanks!
I can find nothing on google that offers any legitimacy for 172.116.0.0/24, but it is has been announced for 2 years so maybe there is some squatters rights at least. It doesn't appear to be a spam source and I don't think any hosts are up on it right now. Maybe it's a test route that never got removed. It makes me sad that nobody at ATT reads the CIDR report. They've only got a couple of bogon announcements so it would be trivial for them to either acknowledge them and claim legitimacy or clean them up.
<snip>
My guess is one of two things. Maybe they renumbered out of the /20 but
left a VPN server up and haven't managed to migrate off it yet, but they
have asked to return the block.. or, they forgot to pay their bill to ARIN
and the block has been removed from whois but Qwest isn't as diligent
because they're still being paid.
This brings up a good point which came to mind recently.
What process(es) do folks use for cases where an address block and/or ASN
seems no longer have whois info associated (eg. where authorization to use
may have been revoked)?
Do the RIRs have a process for notifying the community or at least the
upstream providers that something has changed?
Thanks for insight from the community.
Tony