Bonjour, Y’all! ASN Split Personalities

September 25, 2014 Doug Madory
bonojour

bonjour=f

Remember when the telephone company came to your house to hook up your phone and gave you a new phone number? This new number was how your friends and family were going to contact you. You counted on the telephone company to ensure that someone hadn’t already been issued that number, because if they had, various problems would ensue. What would happen when your mom tried to call your number if it was also assigned to someone else? Could you directly call the other party to work out the problem? Well, in the BGP realm, something similar has been happening with autonomous system numbers (ASNs).

Organizations need an ASN to run BGP and route on the Internet. They are each assigned globally unique ASN(s) by their local Regional Internet Registry (RIR), who get them from IANA. A few weeks ago, the NANOG folks noticed that AS1712 had been registered by two different organizations (in France and Texas) that were both using the number to announce their separate network prefixes. ARIN issued a statement conveying that they were aware of the problem and were working to resolve it. We took a look at the data and found that AS1712 isn’t the only dually-assigned ASN out there. In fact, even a root server didn’t escape unscathed.

First let me introduce myself: I’m Doug Madory, the newest member of the Renesys team. I came to Hanover, NH to do grad school and after a two-year stint as a medical center ISO, I jumped at the chance to be part of the cool work that goes on at Renesys. As part of my initiation here, I was handed the task to see if I could find any other examples of dually-assigned ASNs in the various RIRs — particularly ones that are currently in use. This isn’t as easy as it sounds, but we will get to that in a moment.

Knowing how to direct packets from an Internet café in Singapore to a network in Buenos Aires is what the Internet routers do. BGP is the protocol Internet routers use to communicate changes in routes from one autonomous system (an organization on the Internet) to another. Each autonomous system is assigned a unique number, its ASN.

These ASNs are primarily used to avoid routing loops (i.e. you shouldn’t be learning about your networks from your AS neighbors!). This is called loop detection and operates correctly only if ASNs are unique. No two RIRs are supposed to give out the same IP addresses or the same ASNs, otherwise we’ll have bedlam — but this has happened!

In November 2009, it was noted in a NANOG list discussion, AS1712 has been doubly assigned to both a Texas-based organization by ARIN and an organization in Paris, France by RIPE. They were simultaneously using their ASN to announce their respective network prefixes to the world.

style=’border-collapse:collapse;border:none;mso-yfti-tbllook:1184;mso-padding-alt:
0in 5.4pt 0in 5.4pt;mso-border-insideh:none;mso-border-insidev:none’>

$ whois -h whois.ripe.net AS1712
...
% Information related to 'AS1712'
aut-num: AS1712
as-name: FR-RENATER-ENST
descr:   Ecole Nationale Superieure
des Telecommunications,
descr:   Paris, France.
$ whois -h whois.arin.net AS1712
...
OrgName:    Twilight Communications
OrgID:      TWILI
Address:    1674 Kosik Ln
City:       Wallis
StateProv:  TX
PostalCode: 77485
Country:    US
ASNumber:   1712
ASName:     TWLT
ASHandle:   AS1712

 

According to IANA, AS1712 is to be assigned by ARIN, not RIPE. However, according to RIPE’s records it appears that many AS numbers in the 1700’s were assigned by RIPE in 1993 and therefore AS1712 could have been assigned by RIPE in the swamp days before ARIN even existed.

AS 1712 isn’t the only case of this…

Other doubly-assigned ASNs in the 17XX range include:

  • AS1708 (RIPE: Renater, ARIN: Abacus, San Francisco, CA)
  • AS1715 (RIPE: Renater, ARIN: Harrier Hawk Management LLC, NY, NY)
  • AS1716 (RIPE: Renater, ARIN: Critical Data Network, San Diego, CA)
  • AS1723 (RIPE: Renater, ARIN: Twilight Communications, TX)

ARIN believes that they have worked to fix the problem on the 17XX range, but doubly-assigned ASNs are not limited to the 1700’s as evidenced by:

  • AS3745 (RIPE: Volkswagen, ARIN: Perot Systems, Auburn Hills, MI)
  • AS35868 (RIPE: Internet Software Consortium, ARIN: Logix3).

In each of these examples, ASNs are both registered and are actively announcing prefixes for different organizations. We have alerted those responsible for these networks of the mix-up. What is fascinating is: why didn’t someone check when the duplicate assignment was made? Anyone can query the databases of the five RIRs from the Linux command line in the following way:

$ whois -h whois.arin.net AS1712
$ whois -h whois.ripe.net AS1712
$ whois -h whois.afrinic.net AS1712
$ whois -h whois.apnic.net AS1712
$ whois -h whois.lacnic.net AS1712

In the last example from above, AS35868 is a particularly interesting case:

  • Logix3, a Florida company, was assigned AS35868 by ARIN in 2005
  • Logix3 originates their own prefix, globally visible via AS35868, since 24 June 2006.
  • AS38568 was assigned by APNIC to ISC (“ISC-SUV1″) in 2006.
  • ISC started advertising 203.119.51.0/24 via AS35868 on 23 May 2007 via Fiji’s University of the South Pacific, in order to host Fiji’s local copy of the F-root server.
  • AS35868 first appeared in RIPE as ISC on 29 September 2009.

However this gets cleared up, we strongly suspect that the local transit for the Fiji F-root will have to change. (Its address won’t, fortunately.) Since we don’t have a peer in Fiji, so we can’t confirm that 192.5.5.0/24 (F-root block) is anycasted there. Anybody in Fiji want to peer with us?

Despite the fact that verification services are readily available, neither the RIRs, the companies who received the duplicated ASNs, nor their providers seems to have checked if the ASN was assigned before making and accepting the ASN assignment. When an organization is assigned an ASN, it still needs to check to verify that this ASN hasn’t already been assigned. One can’t assume that the ASN handed to you by an RIR is unique because their databases aren’t perfect.

But don’t blame the RIRs, rooting out duplicate ASNs across RIRs is non-trivial. To identify duplicate ASNs, one cannot simply look for the same ASN in two RIRs. Some RIRs, like ARIN, try to list many of the ASNs in other RIRs as a pointer to them. Also, some large organizations may legitimately have the same ASN in two RIRs announcing different networks, for example, AS33771 (Safaricom) is listed in both AFRINIC and RIPE, but it probably does so because it announces network prefixes in the two continents (196.201.208.0/20 in Kenya and 41.90.0.0/16 in England). It doesn’t help that the RIRs are not consistent in their naming conventions, for example, AS109 is “ciscosystems” in ARIN and “cisco-eu-109″ in RIPE. So an effective automated ASN duplication detection tool is unlikely.

Lastly, businesses merge, acquire others or sometimes change their names without updating the records in the RIRs, for example AS3955 is Wang in ARIN and Getronics in RIPE, but Wang and Getronics are the same company. In fact, AS3955 also routes network prefixes (such as 150.124.0.0/16) for a third organization named, Compucom Systems. Compucom bought Getronics in 2007. AS32528 is Ross Labs in ARIN and Abbott Labs in RIPE. Ross and Abbott merged in 1964. Who has the capacity to keep up with every change to a business’s name?

Like everything on the Internet, nothing is ever easy, even something seemingly so trivial as assigning unique ASNs. The moral of the story is that, going forward, all parties involved in the assignment process would do well take some simple steps to verify the uniqueness of their new ASN because it gets very difficult to identify duplicates and fix the error after the fact. And we want to avoid more ASN split personalities who think they are in Paris — both Texas and France!!

À bientôt, pardner!

The post Bonjour, Y’all! ASN Split Personalities appeared first on Dyn Research.

Read more...

About the Author

Doug Madory is a Director of Internet Analysis at Dyn where he works on Internet infrastructure analysis projects. Doug has a special interest in mapping the logical Internet to the physical lines that connect it together, with a special interest on submarine cables.

Follow on Twitter More Content by Doug Madory
Previous Article
A Baker’s Dozen in 2009
A Baker’s Dozen in 2009

As our regular readers know, Renesys collects a lot of Internet routing...

Next Article
IP Backbone: Hard sell, not so much
IP Backbone: Hard sell, not so much

Think you’re too busy to blog? Think again. Or just ask your boss. After...