Re: look for BGP routes containing local AS#

[joel jaeggli <joelja () bogus com>]

On 1/28/15 1:32 AM, Song Li wrote:
> Hi Joel,
>
> It is right that the BGP route containing the local ASN will be droped.
> However, such routes can still be displayed on router. 

There is also the non-zero probability that they don't arrive.

If this is and edge router if your neighbor is a juniper and the only
instance of prefix advertisement with this case is your advertisement
from your router your're not going to get it.

From:

---
https://www.juniper.net/documentation/en_US/junos14.2/topics/topic-map/bgp-route-advertisement.html

Disabling Suppression of Route Advertisements
Junos OS does not advertise the routes learned from one EBGP peer back
to the same external BGP (EBGP) peer. In addition, the software does not
advertise those routes back to any EBGP peers that are in the same AS as
the originating peer, regardless of the routing instance. You can modify
this behavior by including the advertise-peer-as statement in the
configuration. To disable the default advertisement suppression, include
the advertise-peer-as statement:

        
Note: The route suppression default behavior is disabled if the
as-override statement is included in the configuration.
If you include the advertise-peer-as statement in the configuration, BGP
advertises the route regardless of this check.

To restore the default behavior, include the no-advertise-peer-as
statement in the configuration:

no-advertise-peer-as;
If you include both the as-override and no-advertise-peer-as statements
in the configuration, the no-advertise-peer-as statement is ignored. You
can include these statements at multiple hierarchy levels.

For a list of hierarchy levels at which you can include these
statements, see the statement summary section for these statements.

---

If this is an edge router and your provider is filtering those either
from above or other reasons then you won't recieve them.

If this in an ibgp session and they're not being accepted on the edge
router you will never see them.

> For example, you
> can run "show route hidden terse aspath-regex .*<local ASN>.*" on
> Juniper to check them. We are looking for those routes. If you can run
> the command on your Juniper and find such routes, could you please
> provider them for us?
>
> Thanks!
>
> Regards!
>
> Song
>
> 在 2015/1/28 16:23, joel jaeggli 写道:
> > On 1/27/15 5:45 AM, Song Li wrote:
> > > Hi everyone,
> > >
> > > Recently I studied the BGP AS path looping problem, and found that in
> > > most cases, the received BGP routes containing local AS# are suspicious.
> > > However, we checked our BGP routing table (AS23910,CERNET2) on juniper
> > > router(show route hidden terse aspath-regex .*23910.* ), and have not
> > > found such routes in Adj-RIB-In.
> >
> > Updates with your AS in the path are discarded as part of loop
> > detection, e.g. they do not become candidate routes.
> >
> > https://tools.ietf.org/html/rfc4271 page 77
> >
> >     If the AS_PATH attribute of a BGP route contains an AS loop, the BGP
> >     route should be excluded from the Phase 2 decision function.  AS loop
> >     detection is done by scanning the full AS path (as specified in the
> >     AS_PATH attribute), and checking that the autonomous system number of
> >     the local system does not appear in the AS path.  Operations of a BGP
> >     speaker that is configured to accept routes with its own autonomous
> >     system number in the AS path are outside the scope of this document.
> >
> > in junos
> >
> > neighbor { ipAddress | ipv6Address | peerGroupName } allowas-in number
> >
> > where number is the number of instances of your AS in the path you're
> > willing to accept will correct that.
> >
> > > We believe that the received BGP routes containing local AS# are related
> > > to BGP security problem.
> >
> > You'll have to elaborate, since their existence is a basic principle in
> > the operation of bgp and they are ubiquitous.
> >
> > Island instances of a distributed ASN communicate with each other by
> > allowing such routes in so that they can be evaluated one the basis of
> > prefix, specificity, AS path length and so forth.
> >
> > > Hence, we want to look for some real cases in
> > > the wild. Could anybody give us some examples of such routes?
> > >
> > > Thanks!
> > >
> > > Best Regards!

Attachment: signature.asc
Description: OpenPGP digital signature