Hi All,
I just joined this list today because I just wanted to stick my oar in and say that there has been a lot of chatter recently about avoiding the use of RADB for the reasons highlighted in this thread. For this reason, and because of the benefit of RPKI, I'd definitely be interested to know whether there's the possibility of partnering with a RIR that offers proper authentication of routes.
On a mildly related note, I notice that AMPRNet offers a whois services, but this doesn't seem to be forwarded to by the "44.0.0.0 - 44.191.255.255" object, so most people wanting to find out who owns IPs by using generic whois lookups are not likely to succeed.
I'd be happy to potentially collaborate on a technical front with these projects if it would be helpful.
Charlie
On Sunday, January 31, 2021, 2:10:02 PM GMT, Nat Morris via 44Net 44net@mailman.ampr.org wrote:
On Sun, Jan 31, 2021 at 9:36 AM G1FEF via 44Net 44net@mailman.ampr.org wrote:
This is something that I keep an eye on, and I do act on any unauthorised announcements.
Just this last week several blocks were hijacked with malicious intent, I spent several hours contacting their upstreams to get them blocked as well as altDB & RADB to get their unauthorised route objects removed. Successfully I am pleased to say.
Which blocks did you report?
Any explanation for these prefixes announced in the UK by AS61337, along side your portal prefixes, they are not documented at all in the portal:
44.127.128.0/24 44.190.122.0/24 44.190.124.0/24 44.190.125.0/24 44.190.128.0/24 44.190.129.0/24 44.190.130.0/24 44.190.131.0/24 44.191.0.0/20
On a related subject, ARDC have recently opened an account with RADB, many folks struggle to add route objects to an IRR DB after I have issued an LOA, it is a recurring problem I deal with by adding their route object to altDB. The problem with altDB is that not all carriers build their filters from there (presumably because it is a free IRR DB and anyone can add any route object they like, including hijackers). RADB is a more respected and more widely used IRR DB. The intention is to automate the creation and removal of route objects via their API from the Portal.
RADB is ok, but not sufficient for the future. A better investment would be for the ARDC to negotiation with one of the 5 RIRs for prefixes to be registered there, so we could all benefit from use of their RPKI trust anchors. Having prefixes in RADB will not provide trust anchor functionality.
Adding visibility of the origin ASN to BGP announced allocations is also on the list for the Portal development. Min/Max expected prefixes is not something that has been considered before, however I can see that it would be quite useful, and not at all difficult to implement, so I have added that to the list - thanks for that Nat.
Which repo is this development taking place in?
I noticed the github.com AMPRnet Portal repo has been removed.
Nat,
Regards, Chris - G1FEF
On 31 Jan 2021, at 02:47, Nat Morris via 44Net 44net@mailman.ampr.org wrote:
Hi Colin,
Thanks for the prompt response to the thread, yes your exact use case is one which I was expecting to see!
I'm more worried about the more specific announcements within the portal covering /16 entries.
It would certainly be handy to have publically visible origin ASN fields per BGP assignment, plus max / min expected prefix lists (like RIPE route objects) that would allow for some automated alerting to be built.
Nat,
On Sun, Jan 31, 2021 at 2:42 AM Colin Bodor <colin.bodor@imperium.ca mailto:colin.bodor@imperium.ca> wrote:
Hello, nice work! And that's interesting/possibly concerning data.
I am AS 55016, and doing exactly as you mentioned, I got a /22 and am announcing it as /24s instead. I may split one or two of the /24s out which is why it was done this way. Thought I would just let everyone know those are legitimate announcements (55016 is in the portal under the related /22 of course)
-Colin
-----Original Message----- From: 44Net 44net-bounces+colin.bodor=imperium.ca@mailman.ampr.org On Behalf Of Nat Morris via 44Net Sent: Saturday, January 30, 2021 19:35 To: AMPRNet working group 44net@mailman.ampr.org Cc: Nat Morris nat@nuqe.net Subject: [44net] Concerning over undocumented BGP announcements
Hello all,
Over the last few months I have noticed some odd BGP announcements of prefixes which have no allocations in the AMPRnet portal. After spotting 5 or 6 of these it made me wonder how many existed.
This evening I took a snapshot of the RIPE RIS data for announcements within 44.0.0.0/9 and 44.128.0.0/10, which took place in 2021. Then scraped the allocations from the AMPRnet portal, compared prefixes directly and then used a radix tree to find a best match.
The resulting data https://docs.google.com/spreadsheets/d/1nb4cTYVG1tm4HpxgPp7TAcgZ_qOlcej1whdv...
At first glance there are some expected entries, for example users with a /22 or /23 announcing a more specific /24.
What really worries me is the amount of announcements of /24s where the closest portal documented prefix is a /16. Are these being used legitimately? do AMPR co-ordinators what details about them? or have they been hijacked?
Look for example at /24 announcements within country assignments, but no specific description!
I would like to start a discussion around these specific prefixes.
The scripts I wrote are here https://github.com/natm/amprnet-observer
Kind regards,
Nat.
Nat
https://nat.ms +44 7531 750292 _________________________________________ 44Net mailing list 44Net@mailman.ampr.org https://mailman.ampr.org/mailman/listinfo/44net
-- Nat
https://nat.ms https://nat.ms/ +44 7531 750292
44Net mailing list 44Net@mailman.ampr.org mailto:44Net@mailman.ampr.org https://mailman.ampr.org/mailman/listinfo/44net https://mailman.ampr.org/mailman/listinfo/44net
44Net mailing list 44Net@mailman.ampr.org https://mailman.ampr.org/mailman/listinfo/44net