Hi Colin,
Thanks for the prompt response to the thread, yes your exact use case is one which I was expecting to see!
I'm more worried about the more specific announcements within the portal covering /16 entries.
It would certainly be handy to have publically visible origin ASN fields per BGP assignment, plus max / min expected prefix lists (like RIPE route objects) that would allow for some automated alerting to be built.
Nat,
On Sun, Jan 31, 2021 at 2:42 AM Colin Bodor colin.bodor@imperium.ca wrote:
Hello, nice work! And that's interesting/possibly concerning data.
I am AS 55016, and doing exactly as you mentioned, I got a /22 and am announcing it as /24s instead. I may split one or two of the /24s out which is why it was done this way. Thought I would just let everyone know those are legitimate announcements (55016 is in the portal under the related /22 of course)
-Colin
-----Original Message----- From: 44Net 44net-bounces+colin.bodor=imperium.ca@mailman.ampr.org On Behalf Of Nat Morris via 44Net Sent: Saturday, January 30, 2021 19:35 To: AMPRNet working group 44net@mailman.ampr.org Cc: Nat Morris nat@nuqe.net Subject: [44net] Concerning over undocumented BGP announcements
Hello all,
Over the last few months I have noticed some odd BGP announcements of prefixes which have no allocations in the AMPRnet portal. After spotting 5 or 6 of these it made me wonder how many existed.
This evening I took a snapshot of the RIPE RIS data for announcements within 44.0.0.0/9 and 44.128.0.0/10, which took place in 2021. Then scraped the allocations from the AMPRnet portal, compared prefixes directly and then used a radix tree to find a best match.
The resulting data https://docs.google.com/spreadsheets/d/1nb4cTYVG1tm4HpxgPp7TAcgZ_qOlcej1whdv...
At first glance there are some expected entries, for example users with a /22 or /23 announcing a more specific /24.
What really worries me is the amount of announcements of /24s where the closest portal documented prefix is a /16. Are these being used legitimately? do AMPR co-ordinators what details about them? or have they been hijacked?
Look for example at /24 announcements within country assignments, but no specific description!
I would like to start a discussion around these specific prefixes.
The scripts I wrote are here https://github.com/natm/amprnet-observer
Kind regards,
Nat.
Nat
https://nat.ms +44 7531 750292 _________________________________________ 44Net mailing list 44Net@mailman.ampr.org https://mailman.ampr.org/mailman/listinfo/44net