North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Kenyan Route Hijack

  • From: Jeff Aitken
  • Date: Mon Mar 17 08:52:49 2008

On Sat, Mar 15, 2008 at 11:57:50AM -0600, Danny McPherson wrote:
> An interesting bit is that the current announcement on routeviews
> directly from AS 6461 has Community 6461:5999 attached:
> ...
>   6461
> from (
>       Origin IGP, metric 0, localpref 100, valid, external, best
>       Community: 6461:5999
> ...
> According to this, that community is used for "internal prefixes":
> "6461:5999 internal prefix"
> A "sh ip bgp community 6461:5999" currently yields 130 prefixes
> with Origin AS of 6461 and that community.  

Hi Danny,

Unless things have changed since I left in '05, 6461:5999 is the outbound
community set on internally-originated prefixes.  You would expect to see
it on prefixes "owned" by AS6461 (such as 216.200/16) as well as address
space announced on behalf of customers (i.e., prefixes "belonging" to
customers who have no ASN and/or no desire to run BGP).  Prefixes learned
from another customer would have :5998 and those learned from a peer would
have :5997, IIRC.  These outbound translations are/were only performed on
customer BGP sessions, which makes sense in this case since the session to
route-views is/was configured like any other customer session.  All it
really tells you is that for whatever reason, that prefix was "manually"
injected into BGP, most likely as a redist'ed static.

Anyway, it's possible that this was intended due to an AUP issue but it's
unlikely that they'd intentionally propagate the /24 in that case.  At
least when I was there, AboveNet had a separate system for injecting routes
into BGP (for TE, abuse, etc) that automatically set no-export on those
routes.  In addition to making the process a lot less error-prone it helped
contain any mistakes due to the automatic no-export.  The only time you
added a static route was when you WANTED to announce it.

Beyond that, I have no idea why 6461 would have originated this route.  My
guess would be that someone who didn't understand the implications of their
action added it as a static route for whatever reason, but that's nothing
more than a guess.  Seems like I've heard Randy voice an opinion on the
local/global thing once before. :-)