[atnog] Fwd: Bogon ASN Filter Policy

Otmar Lendl lendl at cert.at
Tue Jun 7 09:00:56 CEST 2016 

FYI,

es tut sich ein bisschen was zum Thema Bogon filtering.

Auf diversen Meetings der letzten Zeit haben wir immer mehr von
prefix-hijacking gehört. Das ist für Spam-Versand eine sehr alte Masche,
angeblich wird das jetzt aber auch für DDoS (genauer: injecting von
spoofed packets) benutzt.

otmar

-------- Forwarded Message --------

TLP:GREEN

NTT (2914), GTT (3257), AT&T (7018) and KPN (286) have publicly
committed to deploy this style of policy in June/July 2016.

NTT's outreach programme is effective, the amount of impacted prefixes
in the DFZ has already dropped with 50% in the last two weeks.

Kind regards,

Job

----- Forwarded message from Job Snijders <job at ntt.net> -----

Date: Thu, 2 Jun 2016 21:41:38 +0200
From: Job Snijders <job at ntt.net>
To: nanog at nanog.org
Cc: Jared Mauch <jmauch at us.ntt.net>
Subject: Bogon ASN Filter Policy

Dear fellow network operators,

In July 2016, NTT Communications' Global IP Network AS2914 will deploy a
new routing policy to block Bogon ASNs from its view of the default-free
zone. This notification is provided as a courtesy to the network
community at large.

After the Bogon ASN filter policy has been deployed, AS 2914 will not
accept route announcements from any eBGP neighbor which contains a Bogon
ASN anywhere in the AS_PATH or its atomic aggregate attribute.

The reasoning behind this policy is twofold:

    - Private or Reserved ASNs have no place in the public DFZ. Barring
      these from the DFZ helps improve accountability and dampen
      accidental exposure of internal routing artifacts.

    - All AS2914 devices support 4-byte ASNs. Any occurrence of "23456"
      in the DFZ is a either a misconfiguration or software issue.

We are undertaking this effort to improve the quality of routing data as
part of the global ecosystem. This should improve the security posture
and provide additional certainty [1] to those undertaking network
troubleshooting.

Bogon ASNs are currently defined as following:

    0                       # Reserved RFC7607
    23456                   # AS_TRANS RFC6793
    64496-64511             # Reserved for use in docs and code RFC5398
    64512-65534             # Reserved for Private Use RFC6996
    65535                   # Reserved RFC7300
    65536-65551             # Reserved for use in docs and code RFC5398
    65552-131071            # Reserved
    4200000000-4294967294   # Reserved for Private Use RFC6996
    4294967295              # Reserved RFC7300

A current overview of what are considered Bogon ASNs is maintained at
NTT's Routing Policies page [2]. The IANA Autonomous System Number
Registry [3] is closely tracked and the NTT Bogon ASN definitions are
updated accordingly.

We encourage network operators to consider deploying similar policies.
Configuration examples for various platforms can be found here [4].

NTT staff is monitoring current occurrences of Bogon ASNs in the routing
system and reaching out to impacted parties on a weekly basis.

Kind regards,

Job

Contact persons:

    Job Snijders <job at ntt.net>, Jared Mauch <jmauch at us.ntt.net>,
    NTT Communications NOC <noc at ntt.net>

References:
[1]: https://tools.ietf.org/html/draft-thomson-postel-was-wrong-00
[2]: http://www.us.ntt.net/support/policy/routing.cfm#bogon
[3]: https://www.iana.org/assignments/as-numbers/as-numbers.xhtml
[4]: http://as2914.net/bogon_asns/configuration_examples.txt

----- End forwarded message -----

-- 
// Otmar Lendl <lendl at cert.at> - T: +43 1 5056416 711
// CERT Austria - http://www.cert.at/
// Eine Initiative der nic.at GmbH - http://www.nic.at/
// Firmenbuchnummer 172568b, LG Salzburg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://atnog.at/pipermail/atnog/attachments/20160607/84b56de5/attachment.sig>

More information about the atnog mailing list