Hi, the tables bellow show the number of /24 IP blocks per AS that are unreachable in an RPKI route origin validating environment (this list is filtered for NL ASNs). I'd encourage everyone to look into the ROAs of affected prefixes (or to ask the customer / IP holder responsible for it). You can use the RPKI validator https://rpki-validator.ripe.net/bgp-preview or https://bgp.he.net (prefix view) to find the specific affected prefixes. If the invalids are expected (i.e. to test ROV) - like Job's prefixes are I suppose - than you can ignore this email (and maybe drop me an email). some more context: https://medium.com/@nusenu/where-are-rpki-unreachable-networks-located-65c7a... kind regards, nusenu +----------+----------------------------------------------------------------+---------------+ | ASN | (announcing) AS Name | /24 netblocks | +----------+----------------------------------------------------------------+---------------+ | AS51088 | A2B - A2B IP B.V. | 16 | | AS15562 | SNIJDERS - Job Snijders | 8 | | AS205333 | ARCADIZ-NL - Arcadiz Networks BV | 4 | | AS50245 | SERVEREL-AS - Serverel Inc. | 3 | | AS12506 | INSPIRING-NETWORKS-BV - Inspiring Networks BV | 3 | | AS60781 | LEASEWEB-NL-AMS-01 - LeaseWeb Netherlands B.V. | 3 | | AS136175 | SERVERHOSH-AS-AP Serverhosh Internet Service | 2 | | AS49453 | GLOBALLAYER - Global Layer B.V. | 2 | | AS49981 | WORLDSTREAM - WorldStream B.V. | 2 | | AS64484 | ASDMZHOST - JUPITER 25 LIMITED | 2 | | AS56630 | MELBICOM-EU-AS - Melbikomas UAB | 1 | | AS43350 | NFORCE - NForce Entertainment B.V. | 1 | | AS206376 | INTELLECTICAINDIA - Intellectica Systems India Private Limited | 1 | +----------+----------------------------------------------------------------+---------------+ Unreachable /48 IPv6 blocks: +----------+-----------------------------+---------------+ | ASN | (announcing) AS Name | /48 netblocks | +----------+-----------------------------+---------------+ | AS202196 | BOOKING-BV - Booking.com BV | 3 | +----------+-----------------------------+---------------+ -- https://twitter.com/nusenu_
On Wed, Sep 26, 2018 at 11:27:00AM +0000, nusenu wrote:
the tables bellow show the number of /24 IP blocks per AS that are unreachable in an RPKI route origin validating environment (this list is filtered for NL ASNs).
I'd encourage everyone to look into the ROAs of affected prefixes (or to ask the customer / IP holder responsible for it).
You can use the RPKI validator https://rpki-validator.ripe.net/bgp-preview or https://bgp.he.net (prefix view) to find the specific affected prefixes.
If the invalids are expected (i.e. to test ROV) - like Job's prefixes are I suppose - than you can ignore this email (and maybe drop me an email).
I can confirm my invalids are for testing purposes :-)
some more context: https://medium.com/@nusenu/where-are-rpki-unreachable-networks-located-65c7a...
+----------+----------------------------------------------------------------+---------------+ | ASN | (announcing) AS Name | /24 netblocks | +----------+----------------------------------------------------------------+---------------+ | AS51088 | A2B - A2B IP B.V. | 16 | | AS15562 | SNIJDERS - Job Snijders | 8 | | AS205333 | ARCADIZ-NL - Arcadiz Networks BV | 4 | | AS50245 | SERVEREL-AS - Serverel Inc. | 3 | | AS12506 | INSPIRING-NETWORKS-BV - Inspiring Networks BV | 3 | | AS60781 | LEASEWEB-NL-AMS-01 - LeaseWeb Netherlands B.V. | 3 | | AS136175 | SERVERHOSH-AS-AP Serverhosh Internet Service | 2 | | AS49453 | GLOBALLAYER - Global Layer B.V. | 2 | | AS49981 | WORLDSTREAM - WorldStream B.V. | 2 | | AS64484 | ASDMZHOST - JUPITER 25 LIMITED | 2 | | AS56630 | MELBICOM-EU-AS - Melbikomas UAB | 1 | | AS43350 | NFORCE - NForce Entertainment B.V. | 1 | | AS206376 | INTELLECTICAINDIA - Intellectica Systems India Private Limited | 1 | +----------+----------------------------------------------------------------+---------------+
Unreachable /48 IPv6 blocks: +----------+-----------------------------+---------------+ | ASN | (announcing) AS Name | /48 netblocks | +----------+-----------------------------+---------------+ | AS202196 | BOOKING-BV - Booking.com BV | 3 | +----------+-----------------------------+---------------+
This is great work nusenu, and perhaps should be turned into a monthly report? I think NLNOG would appreciate such a service. Kind regards, Job
If the invalids are expected (i.e. to test ROV) - like Job's prefixes are I suppose - than you can ignore this email (and maybe drop me an email).
I can confirm my invalids are for testing purposes :-)
thanks for confirming, I'll exclude AS15562 from future reports.
This is great work nusenu, and perhaps should be turned into a monthly report? I think NLNOG would appreciate such a service.
if monthly automated emails to this list are ok, sure. Maybe it make sense to stop sending them if a certain threshold is reached (i.e. <5 blocks) or if no change is observed over a longer period of time (6 months?). Will schedule the next report for Nov 2018. -- https://twitter.com/nusenu_
Hi,
This is great work nusenu, and perhaps should be turned into a monthly report? I think NLNOG would appreciate such a service.
if monthly automated emails to this list are ok, sure.
Maybe it make sense to stop sending them if a certain threshold is reached (i.e. <5 blocks) or if no change is observed over a longer period of time (6 months?).
Hmmm, I still would like to see if nothing changes over a longer period of time. I would be curious to see if with internal NLNOG pressure, we can make the list shorter over time...
Will schedule the next report for Nov 2018.
--
Wonderful, thanks for the work, nusenu. Nathalie
Hi, Ive informed my colleagues working with some of the names below to chase them as well or inform them if they’re not on the mailing list. Cheers, Melchior
Op 26 sep. 2018 om 14:21 heeft Nathalie Trenaman <nathalie@ripe.net> het volgende geschreven:
Hi,
This is great work nusenu, and perhaps should be turned into a monthly report? I think NLNOG would appreciate such a service.
if monthly automated emails to this list are ok, sure.
Maybe it make sense to stop sending them if a certain threshold is reached (i.e. <5 blocks) or if no change is observed over a longer period of time (6 months?).
Hmmm, I still would like to see if nothing changes over a longer period of time. I would be curious to see if with internal NLNOG pressure, we can make the list shorter over time...
Will schedule the next report for Nov 2018.
--
Wonderful, thanks for the work, nusenu.
Nathalie
_______________________________________________ NLNOG mailing list NLNOG@nlnog.net http://mailman.nlnog.net/listinfo/nlnog
Melchior Aelmans:
Ive informed my colleagues working with some of the names below to chase them as well or
inform them if they’re not on the mailing list.
thanks, appreciated! -- https://twitter.com/nusenu_ https://mastodon.social/@nusenu
Hi All, Just as a heads-up, we are updating the AS202196 Booking.com IPv6 bit asap. That one was a bit of an experimental prefix that kind of got overlooked. We will do another total overhaul soon to make sure we aren't missing anything else. Appreciate the feedback, keeps us honest. /Onur Booking.com AS43996/AS202196 On Wed, 26 Sep 2018 at 14:36, nusenu <nusenu-lists@riseup.net> wrote:
Melchior Aelmans:
Ive informed my colleagues working with some of the names below to chase them as well or
inform them if they’re not on the mailing list.
thanks, appreciated!
-- https://twitter.com/nusenu_ https://mastodon.social/@nusenu
_______________________________________________ NLNOG mailing list NLNOG@nlnog.net http://mailman.nlnog.net/listinfo/nlnog
On 2018-09-26 14:16, nusenu wrote:
If the invalids are expected (i.e. to test ROV) - like Job's prefixes are I suppose - than you can ignore this email (and maybe drop me an email).
I can confirm my invalids are for testing purposes :-)
thanks for confirming, I'll exclude AS15562 from future reports.
Isn't is a better approach to only exclude the current false positive prefixes? If Job starts announcing a new prefix and he makes a mistake in his ROAs (yes, even Job can make mistakes... ;) ) I'm sure he want to know about it. I have no idea how much effort this is in your code, but it sounds to me like a better approach :). Thanks for the report though, I think this is a useful tool. Kind regards, Cybertinus
On 26 Sep 2018, at 14:44, Cybertinus <nlnog@cybertinus.nl> wrote:
On 2018-09-26 14:16, nusenu wrote:
If the invalids are expected (i.e. to test ROV) - like Job's prefixes are I suppose - than you can ignore this email (and maybe drop me an email). I can confirm my invalids are for testing purposes :-) thanks for confirming, I'll exclude AS15562 from future reports.
Isn't is a better approach to only exclude the current false positive prefixes? If Job starts announcing a new prefix and he makes a mistake in his ROAs (yes, even Job can make mistakes... ;) ) I'm sure he want to know about it. I have no idea how much effort this is in your code, but it sounds to me like a better approach :).
Thanks for the report though, I think this is a useful tool.
Not that I don’t appreciate the work that nusenu did here, on the contrary. I just want to make everyone aware that there is a notification feature in the RPKI Dashboard of the LIR Portal (look in the top right corner, next to certified resources). As soon as something turns either UNKNOWN or INVALID (you can choose) you’ll get a daily alert email. The dashboard will also allow you to mute purposely invalid announcements, like the one that Job has. I suggest everyone subscribes their noc to this service. Cheers, Alex
Hi Nusenu, Can you provide insight in where we can find the actual data that you are looking at ? I could only find 4 /24's (from one customer) and when I wrote them to fix it, they stated that they already updated quite a lot in the last 24 hrs. So not sure how much of the stated 18 was theirs, hence the question. Regardless I would like to see how you got to the numbers and if you have the associated prefixes with them so we can verify it. Regards, Erik Bais A2B Internet - AS51088 On 26/09/2018, 13:55, "NLNOG on behalf of nusenu" <nlnog-bounces@nlnog.net on behalf of nusenu-lists@riseup.net> wrote: Hi, the tables bellow show the number of /24 IP blocks per AS that are unreachable in an RPKI route origin validating environment (this list is filtered for NL ASNs). I'd encourage everyone to look into the ROAs of affected prefixes (or to ask the customer / IP holder responsible for it). You can use the RPKI validator https://rpki-validator.ripe.net/bgp-preview or https://bgp.he.net (prefix view) to find the specific affected prefixes. If the invalids are expected (i.e. to test ROV) - like Job's prefixes are I suppose - than you can ignore this email (and maybe drop me an email). some more context: https://medium.com/@nusenu/where-are-rpki-unreachable-networks-located-65c7a... kind regards, nusenu +----------+----------------------------------------------------------------+---------------+ | ASN | (announcing) AS Name | /24 netblocks | +----------+----------------------------------------------------------------+---------------+ | AS51088 | A2B - A2B IP B.V. | 16 | | AS15562 | SNIJDERS - Job Snijders | 8 | | AS205333 | ARCADIZ-NL - Arcadiz Networks BV | 4 | | AS50245 | SERVEREL-AS - Serverel Inc. | 3 | | AS12506 | INSPIRING-NETWORKS-BV - Inspiring Networks BV | 3 | | AS60781 | LEASEWEB-NL-AMS-01 - LeaseWeb Netherlands B.V. | 3 | | AS136175 | SERVERHOSH-AS-AP Serverhosh Internet Service | 2 | | AS49453 | GLOBALLAYER - Global Layer B.V. | 2 | | AS49981 | WORLDSTREAM - WorldStream B.V. | 2 | | AS64484 | ASDMZHOST - JUPITER 25 LIMITED | 2 | | AS56630 | MELBICOM-EU-AS - Melbikomas UAB | 1 | | AS43350 | NFORCE - NForce Entertainment B.V. | 1 | | AS206376 | INTELLECTICAINDIA - Intellectica Systems India Private Limited | 1 | +----------+----------------------------------------------------------------+---------------+ Unreachable /48 IPv6 blocks: +----------+-----------------------------+---------------+ | ASN | (announcing) AS Name | /48 netblocks | +----------+-----------------------------+---------------+ | AS202196 | BOOKING-BV - Booking.com BV | 3 | +----------+-----------------------------+---------------+ -- https://twitter.com/nusenu_
Hi Erik, Erik Bais wrote:
Can you provide insight in where we can find the actual data that you are looking at ?
I use a local RPKI validator instance as data source https://rpki-validator.ripe.net/bgp-preview + RIPEstat for country and ASN name data. I can confirm that all 16 /24 blocks that were INVALID and unreachable at 2018-09-24 22:17 UTC are RPKI VALID now (2018-09-26 13:18 UTC) - great! Thanks a lot for fixing / getting them fixed so fast! If unreachable invalids get fixed at this rate I guess we don't need any RPKI unreachable report for NLNOG in Nov 2018 anymore ;) kind regards, nusenu since RPKI validator and RIPEstat does not support historical lookups, here is the list of prefixes that used to be unreachable in AS51088 (they are all valid and reachable now) +---------------------+-----------------+-------------+----------------+ | timestamp | prefix | reason | announcing_asn | +---------------------+-----------------+-------------+----------------+ | 2018-09-24 22:17:00 | 37.156.247.0/24 | INVALID_ASN | AS51088 | | 2018-09-24 22:17:00 | 84.247.25.0/24 | INVALID_ASN | AS51088 | | 2018-09-24 22:17:00 | 85.204.117.0/24 | INVALID_ASN | AS51088 | | 2018-09-24 22:17:00 | 86.105.148.0/24 | INVALID_ASN | AS51088 | | 2018-09-24 22:17:00 | 86.105.221.0/24 | INVALID_ASN | AS51088 | | 2018-09-24 22:17:00 | 89.32.188.0/24 | INVALID_ASN | AS51088 | | 2018-09-24 22:17:00 | 89.33.2.0/24 | INVALID_ASN | AS51088 | | 2018-09-24 22:17:00 | 89.34.77.0/24 | INVALID_ASN | AS51088 | | 2018-09-24 22:17:00 | 89.34.217.0/24 | INVALID_ASN | AS51088 | | 2018-09-24 22:17:00 | 92.114.0.0/24 | INVALID_ASN | AS51088 | | 2018-09-24 22:17:00 | 93.114.67.0/24 | INVALID_ASN | AS51088 | | 2018-09-24 22:17:00 | 94.177.60.0/24 | INVALID_ASN | AS51088 | | 2018-09-24 22:17:00 | 94.177.63.0/24 | INVALID_ASN | AS51088 | | 2018-09-24 22:17:00 | 185.160.81.0/24 | INVALID_ASN | AS51088 | | 2018-09-24 22:17:00 | 188.215.67.0/24 | INVALID_ASN | AS51088 | | 2018-09-24 22:17:00 | 188.240.73.0/24 | INVALID_ASN | AS51088 | +---------------------+-----------------+-------------+----------------+ -- https://twitter.com/nusenu_
participants (8)
-
Alex Band -
Cybertinus -
Erik Bais -
Job Snijders -
Melchior Aelmans -
Nathalie Trenaman -
nusenu -
Onur Yirmibesoglu