Present at The Tools Track at NANOG 50
Dear all, The Tools track at NANOG Atlanta is a chance to talk about and discover non-commercial network tools of interest to network operations. If you have open-source or non-commercial software that you wrote or use and is relevant to NANOG, consider presenting at this NANOGs Tools Track. Please get in touch with me directly if you are attending NANOG 50 and interested. Thanks Mohit
Tools BOF at NANOG-48
Dear all, I am planning on organizing the Network Tools BOF at NANOG-48 with the objective of presenting interesting and useful non-commercial tools that have a fairly widespread appeal. Tool owners would make short presentations and show usefulness of the tool with case studies. If you have developed or know of a tool/package that you would like to include, please send me an email directly. As part of the tools BOF, I also plan to run a short 15-20 min "Tools roundup" outlining the most common non-commercial tools used for day to day networking tasks. The objective of this is not to present details of tools, but rather a rough taxonomy. Feel free to suggest tools you find useful. Thanks -Mohit
Re: Potential Prefix Hijack
The local scope of the event is also the reason that PHAS did not catch the hijack. Nevertheless, its good to have different services for hijack detection running independently, especially if they are getting different feeds. Even a hijack that is local in scope is worth alerting about; if not anything, at least to ensure it stays local :) -Mohit On Nov 12, 2008, at 4:52 AM, Eduardo Ascenço Reis wrote: Dear Fellows, I would like to add some information to this thread from AS27664 perspective. Both AS27664 (CTBC Multimídia) and AS22548 (Nic.br) share two common points: 1. They are IP transit customers from AS16735 (CTBC Telecom). 2. They feed with full BGP routing table the RIS/RIPE project located at PTTMetro-SP, Brazil (rrc15). I checked all BGP updates of 2008111[01] from Route Views Archive Project [1] and looked for prefixes originated by AS16735. I compared those with the prefixes officially allocated by Registro.br to AS16735 [2] and did not find any case o prefixes from different AS. This analyses confirms that yesterday AS16735 issue of IP prefixes Hijacking was not globally propagated. It seems that only some AS16735's Internet customers (like AS27664 and AS22548) were affect by this problem. Regards, -- Eduardo Ascenço Reis [1] http://archive.routeviews.org/ [2] https://registro.br/cgi-bin/whois/
Re: NANOG Digest, Vol 10, Issue 46
Since this thread started as comparison of the tools, there are two issues 1. Which BGP feeds the tools use? RIPE, RouteViews, other private feeds. 2. How they decide what to send and what not to send? In this case, BGPMon detected an event that was not detected by others, and there might be other hijacks that were local in scope where PHAS or Watchmy might catch something that BGPMon does not. But that does not make one tool better than the other, unless this pattern is repeated. Eventually all tools will catch up with each other on the feeds (or so is the hope), so the difference will then lie in "the decision of what to send and what to drop", and as Todd mentioned, thresholding is very critical here. Mohit Date: Thu, 13 Nov 2008 20:27:32 + > From: "Alexander Harrowell" <[EMAIL PROTECTED]> > Subject: Re: Prefix Hijack Tool Comaprision > To: Todd Underwood <[EMAIL PROTECTED]> > Cc: nanog@nanog.org > > OK. This seems to be a flaw in RIPE RIS, a pity because BGPlay is great. > > - original message - > Subject:Re: Prefix Hijack Tool Comaprision > From: Todd Underwood <[EMAIL PROTECTED]> > Date: 13/11/2008 8:05 pm > > alexander, all, > > On Thu, Nov 13, 2008 at 07:56:26PM +, Alexander Harrowell wrote: > > It may be the North American NOG, but it's been said before that it > > functions as a GNOG, G for Global. I don't think Brazil is > > insignificant. I respect Todd's work greatly, but I think he's wrong > > on this point. > > you misread me. > > i did not say that brazil was insignificant. it's not. it has some of > the fastest growing internet in latin america. > > i said that *this* hijacking took place in an insignificant corner of > the internet. i mean this AS-map wise rather than geographically. > this hijacking didn't even spread beyond one or two ASes, one of whom > just happened to be a RIPE RIS peer. > > real hijackings leak into dozens or hundreds or thousands of ASNs. > they spread far and wide. that's why people carry them out, when they > do. this one was stopped in its tracks in a very small portion of one > corner of the AS graph. > > as such, i don't count it as a hijacking or leak of any great > significance and wouldn't want to alert anyone about it. that's why i > recommend that prefix hijacking detection systems do thresholding of > peers to prevent a single, rogue, unrepresentative peer from reporting > a hijacking when none is really happening. others may have a > different approach, but without thresholding prefix alert systems can > be noisy and more trouble than they are worth. > > sorry if it appears that i was denegrating .br . i was not. > > t. > > -- > _ > todd underwood +1 603 643 9300 x101 > renesys corporation > [EMAIL PROTECTED] http://www.renesys.com/blog > > > >
Re: Prefix Hijack Tool Comaprision
Sorry for the subject line in the previous message :-) Since this thread started as comparison of the tools, there are two issues 1. Which BGP feeds the tools use? RIPE, RouteViews, other private feeds. 2. How they decide what to send and what not to send? In this case, BGPMon detected an event that was not detected by others, and there might be other hijacks that were local in scope where PHAS or Watchmy might catch something that BGPMon does not. But that does not make one tool better than the other, unless this pattern is repeated. Eventually all tools will catch up with each other on the feeds (or so is the hope), so the difference will then lie in "the decision of what to send and what to drop". Mohit Date: Thu, 13 Nov 2008 20:27:32 + > From: "Alexander Harrowell" <[EMAIL PROTECTED]> > Subject: Re: Prefix Hijack Tool Comaprision > To: Todd Underwood <[EMAIL PROTECTED]> > Cc: nanog@nanog.org > > OK. This seems to be a flaw in RIPE RIS, a pity because BGPlay is great. > > - original message - > Subject:Re: Prefix Hijack Tool Comaprision > From: Todd Underwood <[EMAIL PROTECTED]> > Date: 13/11/2008 8:05 pm > > alexander, all, > > On Thu, Nov 13, 2008 at 07:56:26PM +, Alexander Harrowell wrote: > > It may be the North American NOG, but it's been said before that it > > functions as a GNOG, G for Global. I don't think Brazil is > > insignificant. I respect Todd's work greatly, but I think he's wrong > > on this point. > > you misread me. > > i did not say that brazil was insignificant. it's not. it has some of > the fastest growing internet in latin america. > > i said that *this* hijacking took place in an insignificant corner of > the internet. i mean this AS-map wise rather than geographically. > this hijacking didn't even spread beyond one or two ASes, one of whom > just happened to be a RIPE RIS peer. > > real hijackings leak into dozens or hundreds or thousands of ASNs. > they spread far and wide. that's why people carry them out, when they > do. this one was stopped in its tracks in a very small portion of one > corner of the AS graph. > > as such, i don't count it as a hijacking or leak of any great > significance and wouldn't want to alert anyone about it. that's why i > recommend that prefix hijacking detection systems do thresholding of > peers to prevent a single, rogue, unrepresentative peer from reporting > a hijacking when none is really happening. others may have a > different approach, but without thresholding prefix alert systems can > be noisy and more trouble than they are worth. > > sorry if it appears that i was denegrating .br . i was not. > > t. > > -- > _ > todd underwood +1 603 643 9300 x101 > renesys corporation > [EMAIL PROTECTED] http://www.renesys.com/blog > > > >
