30 Jan
2021
30 Jan
'21
8:47 p.m.
Hi Colin,
Thanks for the prompt response to the thread, yes your exact use case
is one which I was expecting to see!
I'm more worried about the more specific announcements within the
portal covering /16 entries.
It would certainly be handy to have publically visible origin ASN
fields per BGP assignment, plus max / min expected prefix lists (like
RIPE route objects) that would allow for some automated alerting to be
built.
Nat,
On Sun, Jan 31, 2021 at 2:42 AM Colin Bodor <colin.bodor(a)imperium.ca> wrote:
Hello, nice work! And that's interesting/possibly concerning data.
I am AS 55016, and doing exactly as you mentioned, I got a /22 and am announcing it as
/24s instead. I may split one or two of the /24s out which is why it was done this way.
Thought I would just let everyone know those are legitimate announcements (55016 is in the
portal under the related /22 of course)
-Colin
-----Original Message-----
From: 44Net <44net-bounces+colin.bodor=imperium.ca(a)mailman.ampr.org> On Behalf Of
Nat Morris via 44Net
Sent: Saturday, January 30, 2021 19:35
To: AMPRNet working group <44net(a)mailman.ampr.org>
Cc: Nat Morris <nat(a)nuqe.net>
Subject: [44net] Concerning over undocumented BGP announcements
Hello all,
Over the last few months I have noticed some odd BGP announcements of prefixes which have
no allocations in the AMPRnet portal. After spotting 5 or 6 of these it made me wonder how
many existed.
This evening I took a snapshot of the RIPE RIS data for announcements within 44.0.0.0/9
and 44.128.0.0/10, which took place in 2021. Then scraped the allocations from the AMPRnet
portal, compared prefixes directly and then used a radix tree to find a best match.
The resulting data
https://docs.google.com/spreadsheets/d/1nb4cTYVG1tm4HpxgPp7TAcgZ_qOlcej1whd…
At first glance there are some expected entries, for example users with a /22 or /23
announcing a more specific /24.
What really worries me is the amount of announcements of /24s where the closest portal
documented prefix is a /16. Are these being used legitimately? do AMPR co-ordinators what
details about them? or have they been hijacked?
Look for example at /24 announcements within country assignments, but no specific
description!
I would like to start a discussion around these specific prefixes.
The scripts I wrote are here https://github.com/natm/amprnet-observer
Kind regards,
Nat.
--
Nat
https://nat.ms
+44 7531 750292
_________________________________________
44Net mailing list
44Net(a)mailman.ampr.org
https://mailman.ampr.org/mailman/listinfo/44net
--
Nat
https://nat.ms
+44 7531 750292