Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

rhein-neckar: unknown ASN announces networks for rhein-neckar networks #519

Closed
ecsv opened this issue Sep 9, 2017 · 3 comments
Closed

rhein-neckar: unknown ASN announces networks for rhein-neckar networks #519

ecsv opened this issue Sep 9, 2017 · 3 comments

Comments

@ecsv
Copy link
Contributor

ecsv commented Sep 9, 2017

This is most likely an old server still announcing this stuff with the wrong ASN. At least this one was used before 3a4a9b2 ("Update rhein-neckar (#475)")

  • 10.142.0.0/16 ASN 76118
  • 10.142.104.0/22 ASN 76118

This currently breaks the ROA checks on other BGP peers because icvpn's mkroa generates them from icvpn-meta

@nazco, @Nurtic-Vibe
@ecsv
Copy link
Contributor Author

ecsv commented Sep 10, 2017
edited
Loading

@nazco, @Nurtic-Vibe Btw. looks like it also fails having a direct connection:

Sep 10 00:51:53 vpn03 bird6[19663]: icvpn_rhein_neckar: Error: Bad peer AS: 76118
Sep 10 00:55:14 vpn03 bird[26134]: icvpn_rhein_neckar: Error: Bad peer AS: 76118
Sep 10 01:10:26 vpn03 bird6[19663]: icvpn_rhein_neckar: Error: Bad peer AS: 76118
Sep 10 01:34:38 vpn03 bird6[19663]: icvpn_rhein_neckar: Error: Bad peer AS: 76118
Sep 10 01:49:59 vpn03 bird6[19663]: icvpn_rhein_neckar: Error: Bad peer AS: 76118
Sep 10 04:01:52 vpn03 bird6[19663]: icvpn_rhein_neckar: Error: Bad peer AS: 76118
Sep 10 04:46:04 vpn03 bird[26134]: icvpn_rhein_neckar: Error: Bad peer AS: 76118
Sep 10 06:42:43 vpn03 bird6[19663]: icvpn_rhein_neckar: Error: Bad peer AS: 76118
Sep 10 10:05:43 vpn03 bird[26134]: icvpn_rhein_neckar: Error: Bad peer AS: 76118
Sep 10 10:10:14 vpn03 bird[26134]: icvpn_rhein_neckar: Error: Bad peer AS: 76118
Sep 10 10:30:53 vpn03 bird6[19663]: icvpn_rhein_neckar: Error: Bad peer AS: 76118
Sep 10 10:47:40 vpn03 bird[26134]: icvpn_rhein_neckar: Error: Bad peer AS: 76118
Sep 10 10:49:50 vpn03 bird[26134]: icvpn_rhein_neckar: Error: Bad peer AS: 76118
$ birdc show protocols icvpn_rhein_neckar
BIRD 1.6.3 ready.
name     proto    table    state  since       info
icvpn_rhein_neckar BGP      master   start  11:24:52    Idle          Received: Bad peer AS
$ birdc6 show protocols icvpn_rhein_neckar
BIRD 1.6.3 ready.
name     proto    table    state  since       info
icvpn_rhein_neckar BGP      master   start  11:26:24    Idle          Received: Bad peer AS

So it is using an "incorrect" ASN (which is not in the icvpn-meta) file all the time. Here is the complete OPEN message from rhein-necker IPv6:

Frame 2923: 147 bytes on wire (1176 bits), 147 bytes captured (1176 bits)
Ethernet II, Src: 72:51:a7:15:7a:bd (72:51:a7:15:7a:bd), Dst: e6:f8:0c:30:51:dc (e6:f8:0c:30:51:dc)
Internet Protocol Version 6, Src: fec0::a:cf:0:142, Dst: fec0::a:cf:0:25
Transmission Control Protocol, Src Port: 42838, Dst Port: 179, Seq: 1, Ack: 1, Len: 61
Border Gateway Protocol - OPEN Message
    Marker: ffffffffffffffffffffffffffffffff
    Length: 61
    Type: OPEN Message (1)
    Version: 4
    My AS: 23456
    Hold Time: 180
    BGP Identifier: 172.23.138.1
    Optional Parameters Length: 32
    Optional Parameters
        Optional Parameter: Capability
            Parameter Type: Capability (2)
            Parameter Length: 6
            Capability: Multiprotocol extensions capability
                Type: Multiprotocol extensions capability (1)
                Length: 4
                AFI: IPv4 (1)
                Reserved: 00
                SAFI: Unicast (1)
        Optional Parameter: Capability
            Parameter Type: Capability (2)
            Parameter Length: 6
            Capability: Multiprotocol extensions capability
                Type: Multiprotocol extensions capability (1)
                Length: 4
                AFI: IPv6 (2)
                Reserved: 00
                SAFI: Unicast (1)
        Optional Parameter: Capability
            Parameter Type: Capability (2)
            Parameter Length: 2
            Capability: Route refresh capability (Cisco)
                Type: Route refresh capability (Cisco) (128)
                Length: 0
        Optional Parameter: Capability
            Parameter Type: Capability (2)
            Parameter Length: 2
            Capability: Route refresh capability
                Type: Route refresh capability (2)
                Length: 0
        Optional Parameter: Capability
            Parameter Type: Capability (2)
            Parameter Length: 6
            Capability: Support for 4-octet AS number capability
                Type: Support for 4-octet AS number capability (65)
                Length: 4
                AS Number: 76118

@leahoswald
Copy link
Contributor

We are currently rebuilding our ICVPN setup, so there shouldn't be an announcement of our prefixes from our old peering point. But I see that the VPN connections and some peerings with the old ASN are still up. For the moment I will shut down the VPN to mitigate the wrong ASN problem.

@ecsv
Copy link
Contributor Author

ecsv commented Sep 17, 2017

Will close this now. It wasn't a failure in the icvpn-meta data but a misconfiguration on the rhein-neckar server - which was disabled to work around the problem.

@ecsv ecsv closed this as completed Sep 17, 2017
@mweinelt mweinelt mentioned this issue Oct 11, 2017
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ecsv @leahoswald