chku <chku@twnic.tw> 於 2020年11月24日 09:15 寫道:
Dear Mr. Kuo,
Please refer the following information.Thanks a lot.
Ching-Heng Ku-----Original message-----
From:Anurag Bhatia<me@anuragbhatia.com>
To:chku<chku@twnic.tw>
Cc:apnic-talk<apnic-talk@apnic.net>,Kenny Huang<huangk@twnic.tw>,ip<ip@twnic.tw>
Date: Tue, 24 Nov 2020 01:03:30
Subject: Re: Fwd: [apnic-talk] Major jump in RPKI invalids from Taiwan in last 24hrs
Hello Ching-Heng
Thanks for looking into this. I am not sure what source RIPE Stat is picking in the link you shared. It might be based on a few RRCs likely. For my data, I am relying on RIPE RIS RRC01 and that clearly has these routes. Surely many of these routes are not visible across large part for the internet but AS36924 - GVA-Canalbox, BJ is feeding these routes to RIPE RIS 01.
Out of 539 invalids we see, 496 have a AS_PATH as: 36924 21351 30844 4809 3462_
So routes are learnt from various 25 networks by Hinet AS3462 and next, announced to China Telecom AS4809 which are announced to AS30844 (Liquid Telecom) which announces to AS21351 (CANALPLUSTELECOM) and that is announcing to the AS36924 which is ultimately feeding these in RIPE RIS RRC01. These routes were not visible in 18th, 19th but are visible 20th onwards. I cannot say why RIPE Stat is not showing these. Could be that it ignores routes at the country level when they are visible from just one of few dozen collectors they have. But routes do exists for sure.
Here's a check on latest visible RIS RRC01 dump: http://data.ris.ripe.net/rrc01/2020.11/bview.20201123.0800.gz
bgpscanner -p "36924 21351 30844 4809 3462" bview.20201123.0800.gz | awk -F '|' '{OFS=" | "; print $2,$3}'
23.11.80.0/20 | 36924 21351 30844 4809 3462 4780
23.11.176.0/20 | 36924 21351 30844 4809 3462 4780
45.127.216.0/24 | 36924 21351 30844 4809 3462 7481 31972
45.127.217.0/24 | 36924 21351 30844 4809 3462 7481 31972
58.86.38.0/24 | 36924 21351 30844 4809 3462 3462 3462 3462 18042
58.86.43.0/24 | 36924 21351 30844 4809 3462 3462 3462 3462 18042
58.86.46.0/24 | 36924 21351 30844 4809 3462 18042 18018
58.86.128.0/24 | 36924 21351 30844 4809 3462 3462 3462 3462 18042
58.114.0.0/17 | 36924 21351 30844 4809 3462 7481 18042 18042
58.114.0.0/18 | 36924 21351 30844 4809 3462 38187 18042
58.114.64.0/18 | 36924 21351 30844 4809 3462 38187 18042
58.114.128.0/18 | 36924 21351 30844 4809 3462 38187 18042
58.114.192.0/18 | 36924 21351 30844 4809 3462 38187 18042
58.115.0.0/18 | 36924 21351 30844 4809 3462 38187 18042
58.115.64.0/18 | 36924 21351 30844 4809 3462 38187 18042
58.115.128.0/18 | 36924 21351 30844 4809 3462 38187 18042
58.115.192.0/18 | 36924 21351 30844 4809 3462 38187 18042
59.105.229.0/24 | 36924 21351 30844 4809 3462 4780
60.198.193.0/24 | 36924 21351 30844 4809 3462 9924 9924
60.198.194.0/24 | 36924 21351 30844 4809 3462 9924 9924
60.198.195.0/24 | 36924 21351 30844 4809 3462 9924 9924
and more. In total: 924 prefixes visible with that AS_PATH.
I cannot verify the AS_PATH completely but Liquid Telecom does have a working looking glass and confirms these routes are present in their network. This confirms that China Telecom AS4809 is announcing these routes for sure. I have added as-path in the sheet I shared - https://docs.google.com/spreadsheets/d/1wOHPKFPOQNnVL02SVWGdVfE8sfnawKfqN1p78y3lciQ/edit?usp=sharing
<Screenshot_2020-11-23_at_10.25.44_PM.png>
This brings me to 2 possibilities in this case:
- Hinet AS3462 has quite a few more routes which are more specifics and RPKI invalid and are being announced mostly via China telecom AS4809 and they further have limited visibility.
- Someone in the chain (likely before Liquid Telecom AS30844) is faking the AS_Path.
Only Hinet AS3462 or those impacted 24 other ASNs can confirm which one is the case because they are closest to the origin as per as-path.
Thanks
On Mon, Nov 23, 2020 at 2:56 PM chku <chku@twnic.tw> wrote:
Dear Anurag,
Many thanks for your information.We checked route prefixes from RIPE
The number of IPv4 and IPv6 prefixes of Taiwan are as usual.The number of Valid prefixes from Validator are also as usual.The invalid prefixes are related to the routes announced by ISPs.We will continue to observe the changes of valid prefixes.
Ching-Heng
From: apnic-talk-bounces@lists.apnic.net <apnic-talk-bounces@lists.apnic.net> on behalf of Anurag Bhatia <me@anuragbhatia.com>
Sent: Saturday, November 21, 2020 6:41:32 AM
To: mailman_APNIC-talk <apnic-talk@apnic.net>
Subject: [apnic-talk] Major jump in RPKI invalids from Taiwan in last 24hrsHello everyone,
Anyone here from Taiwan?
There seems to be a major jump in RPKI invalids from Taiwan. My code is tracking invalids in India and nearby on daily basis and data is being published in this public Grafana instance: https://graphs.muc.anuragbhatia.com/d/DPIj_47Mk/rpki?orgId=1&from=now-90d&to=now
On 20th - Invalids were 43 and on 21st invalids have jumped to 539.
These invalids belong to 25 different ASNs which are:
131597 - NCDTV-TW New Changhua Digital Cable TV CO,.Ltd, TW
131601 - DCT Dynamic Computing Technology, TW
131627 - PEICITY-AS-TW Peicity Digital Cable Television., LTD, TW
131660 - CHTCDN Data Communication Business Group, TW
1659 - ERX-TANET-ASN1 Taiwan Academic Network (TANet) Information Center, TW
17408 - ABOVE-AS-AP AboveNet Communications Taiwan, TW
17711 - NDHU-TW National Dong Hwa University, TW
17712 - CCU-TW National Chung Cheng University, TW
17713 - NSYSU-TW National Sun Yat-sen University, TW
17716 - NTU-TW National Taiwan University, TW
18042 - KBT Koos Broadband Telecom, TW
18046 - DONGFONG-TW DongFong Technology Co. Ltd., TW
18177 - NCKU-TW National Cheng Kung University, TW
24169 - CHUAN-CHAN-NET-A Chuan Chan Co. Ltd., TW
38841 - KBRO-AS-TW kbro CO. Ltd., TW
4780 - SEEDNET Digital United Inc., TW
4845 - SINGTEL-TW Chung Hsiao East Road, TW
7532 - DIGICENTRE-TW DigiCentre Company Limited, TW
7539 - TWAREN-TW National Center for High-performance Computing, TW
9416 - MULTIMEDIA-AS-AP Hoshin Multimedia Center Inc., TW
9916 - NCTU-TW National Chiao Tung University, TW
9919 - NCIC-TW New Century InfoComm Tech Co., Ltd., TW
9922 - NKB-AS-TW New Kaohsiung Broadband LTD., TW
I have put a detailed list of invalids with ASNs, AS names etc here: https://docs.google.com/spreadsheets/d/1wOHPKFPOQNnVL02SVWGdVfE8sfnawKfqN1p78y3lciQ/edit?usp=sharing
Please help in getting these cleaned up if you know anyone from the above networks.
--
Anurag Bhatia