[dns-operations] Strange things at C root name server
Alarig Le Lay
alarig at swordarmor.fr
Wed May 22 00:43:25 UTC 2024
On Tue 21 May 2024 22:45:38 GMT, Bill Woodcock wrote:
> When you say “is allocated to,” do you mean something other than that
> they’re BGP announcing 38.230.3.0/24? Because the IANA and all five
> RIRs appear to me to be in agreement that 38.230.3.0/24 is still part
> of 38/8, and is still a legacy allocation to PSInet, and thus to their
> inheritor Cogent, in the ARIN region.
>
> This appears to me to be a simple instance of BGP hijacking. And,
> amusingly, an unintentional origination, so the one quadrant of the
> intentional/unintentional origin/path matrix which RPKI could
> potentially have helped with.
>
> -Bill
That doesn’t looks like hijacking, the cogent whois refers to the /17
being assigned to Orange CI, and they are announcing part of it.
2:05 alarig at FR-PAR-4DWH ~ % whois 38.230.3.46
[…]
Found a referral to rwhois.cogentco.com:4321.
%rwhois V-1.5:0010b0:00 rwhois.cogentco.com (CGNT rwhoisd 1.2.0)
network:ID:NET4-26E6000011
network:Network-Name:NET4-26E6000011
network:IP-Network:38.230.0.0/17
network:Org-Name:Orange Cote d'Ivoire
network:Street-Address:CABLE SAT3 CLS, RUA AMÉLIA FRADE
network:City:SESIMBRA
network:Country:PT
network:Postal-Code:2970 – 712
network:Tech-Contact:ZC108-ARIN
network:Updated:2024-05-10 16:33:20
%ok
rr2.swordarmor.fr# show bgp ipv4 unicast 38.230.0.0/17 longer-prefixes
BGP table version is 23189654, local router ID is 45.91.126.240, vrf id 0
Default local pref 100, local AS 208627
Status codes: s suppressed, d damped, h history, * valid, > best, = multipath,
i internal, r RIB-failure, S Stale, R Removed
Nexthop codes: @NNN nexthop's vrf id, < announce-nh-self
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found
Network Next Hop Metric LocPrf Weight Path
*>i38.230.0.0/24 45.91.126.255 50 100 0 29075 1273 29571 i
* i 45.91.126.248 50 100 0 34019 1273 29571 i
*>i38.230.1.0/24 45.91.126.255 50 100 0 29075 5511 29571 i
*>i38.230.2.0/24 45.91.126.255 50 100 0 29075 6762 29571 i
*>i38.230.3.0/24 45.91.126.255 50 100 0 29075 5511 29571 29571 29571 29571 29571 29571 i
*>i38.230.4.0/24 45.91.126.255 50 100 0 29075 5511 29571 29571 29571 29571 29571 29571 i
*>i38.230.5.0/24 45.91.126.255 50 100 0 29075 5511 29571 29571 29571 29571 29571 29571 i
*>i38.230.6.0/24 45.91.126.255 50 100 0 29075 5511 29571 29571 29571 29571 29571 29571 i
*>i38.230.7.0/24 45.91.126.255 50 100 0 29075 5511 29571 i
Displayed 8 routes and 1507906 total paths
Also, c.root-servers.org (38.230.3.46) is routed as a /28 in Cogent’s
backbone:
Wed May 22 00:13:37.212 UTC
BGP routing table entry for 38.230.3.32/28
Versions:
Process bRIB/RIB SendTblVer
Speaker 2458191374 2458191374
Last Modified: Apr 11 22:34:05.626 for 5w5d
Paths: (1 available, best #1)
Advertised IPv4 Unicast paths to peers (in unique update groups):
38.5.0.99
Path #1: Received by speaker 0
Advertised IPv4 Unicast paths to peers (in unique update groups):
38.5.0.99
2149
154.26.7.205 (metric 191070) from 38.28.1.83 (154.54.66.234)
Origin IGP, metric 0, localpref 100, valid, internal, best, group-best, import-candidate
Received Path ID 0, Local Path ID 1, version 2458191374
Community: 174:10001 174:20999 174:21001
Originator: 154.54.66.234, Cluster list: 38.28.1.83, 38.28.1.67, 38.28.1.115, 154.54.66.68, 66.28.1.31
So if a network chooses to route via Cogent, it will work because it
will hit that /28 instead of the /24, but Internet views it a being
behind Orange CI via OTI.
alarig at nte-tools-01:~$ mtr -bzwe c.root-servers.org
Start: 2024-05-22T00:03:46+0000
HOST: nte-tools-01 Loss% Snt Last Avg Best Wrst StDev
1. AS??? mgmt-442.nte01-fw01-0.mgmt.ouest.network (10.44.12.254) 0.0% 10 0.3 0.4 0.3 0.5 0.1
2. AS203432 rev-89-234-176-29.faimaison.net (89.234.176.29) 0.0% 10 0.4 0.6 0.4 0.8 0.1
3. AS174 gi0-0-0-10.nr11.b015567-0.nte01.atlas.cogentco.com (149.11.52.81) 0.0% 10 1.4 1.6 1.2 2.0 0.2
4. AS174 be3860.rcr61.nte01.atlas.cogentco.com (154.25.8.109) 0.0% 10 1.6 1.8 1.6 2.3 0.2
5. AS174 be3861.rcr51.rns01.atlas.cogentco.com (154.54.72.154) 0.0% 10 3.1 3.2 3.1 3.5 0.2
6. AS174 be3843.rcr51.uro01.atlas.cogentco.com (154.54.73.149) 0.0% 10 8.0 8.0 7.6 8.3 0.2
7. AS174 be2408.ccr41.par01.atlas.cogentco.com (130.117.2.177) 0.0% 10 8.7 8.9 8.6 9.5 0.3
8. AS174 be3095.ccr41.dca01.atlas.cogentco.com (154.54.89.221) 0.0% 10 85.0 84.7 84.5 85.0 0.2
9. AS174 be3351.rcr61.b000055-1.dca01.atlas.cogentco.com (154.54.91.130) 0.0% 10 84.8 100.3 84.8 238.1 48.4
10. AS174 te0-0-2-0.c-root.dca01.atlas.cogentco.com (154.54.2.70) 0.0% 10 84.9 98.8 84.9 223.1 43.7
11. AS29571 stats.c.root-servers.org (38.230.3.46) 0.0% 10 84.5 88.3 84.4 122.8 12.1
grifon at grifon01:~$ mtr -bzwe c.root-servers.org
Start: 2024-05-22T00:18:39+0000
HOST: grifon01.ring.nlnog.net Loss% Snt Last Avg Best Wrst StDev
1. AS204092 gw-vm-89-234-186-96-27.cogent-rns.grifon.fr (89.234.186.97) 0.0% 10 0.2 0.2 0.1 0.3 0.1
2. AS204092 asbr02.cogent-rns.bb.grifon.fr (89.234.186.34) 0.0% 10 0.5 0.3 0.2 0.5 0.1
3. AS30781 po6-54.er01.ren02.jaguar-network.net (31.172.233.208) 0.0% 10 2.1 2.0 1.6 2.4 0.2
4. AS30781 be2.er01.par01.jaguar-network.net (78.153.231.41) 0.0% 10 8.8 8.8 8.6 9.0 0.1
5. AS??? 81.52.188.23 0.0% 10 8.4 8.6 8.4 8.9 0.1
6. AS??? 193.251.240.148 10.0% 10 89.0 88.8 88.7 89.0 0.1
7. AS??? 193.251.144.28 0.0% 10 88.8 88.9 88.6 89.2 0.2
8. AS29571 ica3.ae6-aica2.rp.orange-cit.ci (41.189.62.34) 0.0% 10 89.5 90.9 89.2 99.9 3.4
9. AS29571 aica2.ae1-aica1.rp.orange-cit.ci (41.189.62.56) 0.0% 10 97.0 97.3 96.9 98.5 0.5
10. AS??? ??? 100.0 10 0.0 0.0 0.0 0.0 0.0
11. AS??? ??? 100.0 10 0.0 0.0 0.0 0.0 0.0
12. AS??? ??? 100.0 10 0.0 0.0 0.0 0.0 0.0
13. AS??? ??? 100.0 10 0.0 0.0 0.0 0.0 0.0
14. AS29571 38.230.3.1 0.0% 10 94.5 94.3 94.1 94.5 0.1
15. AS29571 38.230.3.1 80.0% 10 94.5 94.4 94.3 94.5 0.1
--
Alarig
More information about the dns-operations
mailing list