BGP-Inspect update...
All, Just wanted to provide people with a quick update on the BGP-Inspect project. The BGP-Inspect website (http://bgpinspect.merit.edu) provides people with an easy to use, fast, querable interface to a subset of the data collected at routeviews. Since the last update we have added 3 additional "views", i.e. peers whose data you can query individually. These new peers are: UUNET-MCI(157.130.10.233), Verio-CA(129.250.0.11) and France-Telecom-NYC(193.251.245.6). What this means is that we are extracting information for these 3 peers in addition to the 5 that we did previously. The website now hosts data going back to Aug 1 2005, and the database has grown to over 400GB. We continue to see a moderate amount of usage with people running queries on a continual basis. Roughly speaking queries from outside North America seem to outnumber queries from within(probably an artifact of the data the site provides). One question I had for the community is just how useful is it to provide live access to data going back upto a year. Has anyone actually used such historical data in the past? The original goal of the project was to house data for upto 6 months, we are now upto 13 months. If there is not much use for it perhaps we can age out data older than say 1 year? Comments welcome(offlist). thanks -manish
Re: oof. panix sidelined by incompetence... again.
You can easily repeat the queries on the bgpinspect website to generate the same results in html files. I just bundled them up into a single pdf for convenience. thanks manish On Mon, 23 Jan 2006, Fergie wrote: Out of curiousity, why must these be in .pdf format? I mean, what's wrong with .html? Just curious, - ferg
Re: oof. panix sidelined by incompetence... again. (fwd)
I forgot to mention that you can get the RIPE data perspective on this as well by running a prefix-exact query for "166.84.0.0/16" at bgp-inspect-RIPE: http://bgpinspect.merit.edu:9090 If there are enough requests I will probably archive those as well. thanks -manish -- Forwarded message -- Date: Mon, 23 Jan 2006 11:25:58 -0500 (EST) From: Manish Karir <[EMAIL PROTECTED]> To: NANOG Subject: Re: oof. panix sidelined by incompetence... again. in case some people want to look at routeviews data for themselves, I have archived a couple of pdf file at: http://bgpinspect.merit.edu/reports.php -manish - Re: oof. panix sidelined by incompetence... again. * From: william(at)elan.net * Date: Sun Jan 22 13:34:47 2006 Can there be a confirmation of this? I see no such MOTD at http://www.panix.com/panix/help/Announcements/ and my connection to panix is fine and route I see is 166.84.0.0/17 with origin in 2033. I also checked at routeviews.org and similarly all their peers see origin in in 2033. Is there some other route that has been hijacked then or has it now ben resolved? BTW - Its interesting to note that its almost exactly one year after their domain hijacking which happened on weekend of Jan 15 & 16, 2005 (friday jan 14th to be more precise). -
Re: oof. panix sidelined by incompetence... again.
in case some people want to look at routeviews data for themselves, I have archived a couple of pdf file at: http://bgpinspect.merit.edu/reports.php -manish - Re: oof. panix sidelined by incompetence... again. * From: william(at)elan.net * Date: Sun Jan 22 13:34:47 2006 Can there be a confirmation of this? I see no such MOTD at http://www.panix.com/panix/help/Announcements/ and my connection to panix is fine and route I see is 166.84.0.0/17 with origin in 2033. I also checked at routeviews.org and similarly all their peers see origin in in 2033. Is there some other route that has been hijacked then or has it now ben resolved? BTW - Its interesting to note that its almost exactly one year after their domain hijacking which happened on weekend of Jan 15 & 16, 2005 (friday jan 14th to be more precise). -
Announce: BGP-Inspect sites for non-routeviews data...
All, I wanted to drop a quick note to let people know about the availability of additional BGP-Inspect sites based on data other than the routeviews data which we have been supporting till now. This should provide much better visibility than before. The new sites are: - BGP-Inspect-RIPE(http://bgpinspect.merit.edu:9090): RIPE BGP update data, Data from Dec 8 2005 onwards - BGP-Inspect-Merit(http://bgpinspect.merit.edu:8080): Merit BGP update data, Data from Nov 11 2005 onwards They can also be reached from the "about" page in the main site: http://bgpinspect.merit.edu Also, a new feature that we wanted to announce that has not seen a lot of use is the ability to select multiple "peers" in a single query. This allows you to query for a prefix/AS across multiple peers with a single query. Just hold down the ctrl key to select the peers you wish to query. Comments are welcome (offlist please). thanks manish
RE: [afnog] ARIN to allocate from 74/8 & 75/8
I put up some pre-run queries for these prefixes based on the routeviews data at: http://bgpinspect.merit.edu/reports.php But you can probably run these yourself if you like. From the perspective of atleast the 5 routeviews peers we track(att, level3,aol,sprint,glx), all prefixes are pretty much visible by now, what is perhaps more interesting is that it looks like these(and a bunch more) were being incorrectly announced by AS9802 prior to Aug 30th. -manish Date: Wed, 21 Sep 2005 08:38:11 -0400 From: "Hannigan, Martin" <[EMAIL PROTECTED]> Subject: RE: [afnog] ARIN to allocate from 74/8 & 75/8 if it's useful, i'd be happy to report what percentage of my peers have/don't have routes to these prefixes. I'd be interested.=20 Best, -
Re: 12/8 problems? (fwd)
-- Forwarded message -- Date: Wed, 14 Sep 2005 16:39:54 -0400 (EDT) From: Manish Karir <[EMAIL PROTECTED]> To: nanog@merit.edu Subject: Re: 12/8 problems? I'm sorry I'm a bit late on this thread but wanted to point out that you can view some of the relevant information on this, as seen from routeviews at: http://bgpinspect.merit.edu - At the bottom half of the page, select routeviews peer, e.g. sprint - select "Prefix-Exact" as query type - Enter prefix into the Query box: "12.0.0.0/8" (without the quotes) - Select start date as Aug 25, select end date as Sept 14 - Click submit-query. Alternately you can just get the pdf files of the results page from the above queries from the following 2 links: http://bgpinspect.merit.edu/reports/glx-12-8.pdf http://bgpinspect.merit.edu/reports/sprint-12-8.pdf After a few more cleanups and changes, we will be re-announcing the bgp-inspect project hopefully before the next nanog mtg. as a generally available service. thanks manish Date: Mon, 12 Sep 2005 18:02:29 -0400 From: Richard A Steenbergen <[EMAIL PROTECTED]> Subject: Re: 12/8 problems? On Sat, Sep 10, 2005 at 06:15:38AM -0700, Eric Louie wrote: FYI, happened again this morning for (at least) 12/8 duration approx 30 minutes starting at 5:45 AM PDT. Notice that AT&T is no longer taking chances, and is announcing 2 /9s. - -- Richard A Steenbergen <[EMAIL PROTECTED]> http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) --
Announce: BGP::Inspect
All, Merit Network and the University of Maryland would like to announce the beta release of a BGP update messages research tool that might be of use to the NANOG community. The tool is called BGP::Inspect. The goal is to make the vast quantities of Routeviews data easily accesible to the network operator and research community. This involves not just allowing people to query and obtain the update messages, but also providing some simple analysis and statistics on the data which can help in locating anomalies and problems. At this point we feel that we could really benefit from some feedback from the community. A beta release of our prototype is available at: http://weasel.merit.edu:9191/ This version has been initialized with a limited amount of data. It currently provides information regarding 5 of the 40 routeview peers, and only contains data for the time period from Dec 20 - Jan 6. The basic interface has been kept simple. There are 2 types of queries that can be run "Summary Queries" and "Raw Data Analysis". The summary queries allow users to quickly focus on potential trouble spots(as observed at the routeview peers). Basic queries include things like most active ASes, most active prefixes, as well as prefixes that exhibited the most number of changes in their OriginAS. The second type of queries, "Raw Data Analysis" can be used to obtain information regarding specific ASes or prefixes for a given time range. A query for a specific AS will return not only the various prefixes announced by that AS, the times, paths, and communities, but also summary stats including total number of announcements in that time period and the number of unique prefixes announced in that time period. A 7 day summary graph is also returned which summarized the most recent activity as seen originating from that AS. A similar query for a specific prefix will return times, types(announce/withdraw), aspaths and communities from update messages as well as summary statistics that indicate the min/max/avg AS path length as seen over the query time interval, the number of originAS changes as well as the number of unique ASes that announced that prefix. A summary graph indicating the activity of that prefix over the last 7 days is also displayed. In a lot of ways this tool complements the Search by AS/Prefix tools from RIPE, BGP Monitor from MIT, and LinkRank from UCLA. The more views from different vantage points the better. In addition there is a real effort with BGP::Inspect to provide not simply access to the raw data, but some simple analysis and summary statistics as well. The hope is that people no longer need to write custom parsers to be able to extract the information they need. We would appreciate any and all feedback from the NANOG community. In particular, it would be instructive to us to learn what are some other "typical" queries that we could add, in addition to the the "Top 20 most active ASes/Prefixes" and "Top 20 prefixes which have most number of origin AS changes." What are some other basic questions that researchers and network operators ask when attempting to analyze problems. Please send feedback offlist to: [EMAIL PROTECTED] thanks manish karir
Re: IPv6, IPSEC and deep packet inspection
> -- > > Date: Fri, 31 Dec 2004 17:32:24 + (GMT Standard Time) > From: Sam Stickland <[EMAIL PROTECTED]> > Subject: IPv6, IPSEC and deep packet inspection > > Since IPSEC is an integral part of IPv6 won't this have an affect on the > deep packet inspection firewalls? Is this type of inspection expected to > work in IPv6? > > Perhaps using some kind of NAP the firewall is allowed to speak on behalf > of the host(s) it firewalls, so that to the client it appears to be the > firewall itself appears to be the IPSEC endpoint? > > Sam Some related issues as they apply to IPv4, were discussed in the following: IPSEC and the Internet: http://techreports.isr.umd.edu/reports/1999/MS_99-14.pdf as well as: A Multi-Layer IP Security Protocol for TCP Performance Enhancement in Wireless Networks: http://www.yongguangzhang.net/papers/jsac04.html Both of the above essentially proposed using a layering scheme that differentiates between keys used to encrypt different parts of a packet, this would allow people the flexibility to then selectively disclose keys as necessary for the deep packet inspector boxes to work, without compromising the security of the entire packet payload. In this approach, the "middlebox" does not have to be an IPSEC end-point. Both of the above argued that without such layering, IPSEC would essentially render any network monitoring or analysis based on information deeper than the IP hdr, useless(which is actually the intent of IPSEC). -manish
