How to monitor for the “non existence” of an AS in the ASpath

Posted by Andree Toonk - October 25, 2008 - BGPmon.net, regular expressions - No Comments
How do I monitor the "non existence" of an AS in the ASpath Sometimes you have a prefix which is being announced from different AS's and each of these have different upstream AS's. Some of these are propagated all over the Internet and some of them are supposed to stay in a certain region or IX. This is typically achieved using the NO-EXPORT feature. A BGPmon.net user emailed me this scenario and would like to get a notification if this prefix is being detected by BGPmon, because this could mean someone might be leaking the prefix. Let's look at this example. Suppose  the following prefix 192.0.2.0/24 is originated from AS10 from different places in the world. You (AS20) are one of those sites but are only announcing it at your local Internet Exchange with the NO-Export community set.  Now normally this prefix is not seen as aspath AS20 AS10 in the global routing table, except of course for those at the Exchange point. You want to monitor the global routing table for this prefix & ASpath to make sure non of your peers is leaking this. How would you do that? Well you would add your prefix to BGPmon and use source AS 0. This basically is a wild card, no hard checks will be done on the originAS. Leave the transit AS empty and just use the following regex:
	(?<!20) 10$
It's called a 'negative lookbehind assertion' (Thanks Bas Toonk, for helping me with this) and matches any occurrence of '10' that isn't following '20'. So basically it should match any aspath that ends with 10, except if 20 is in front of it. In that case (20 10) the ASpath regex does not match and will generate an alarm. This however does assume that the prefix is always originated by AS 10.  In the real life example this was not the case, the prefix was actually originated by different AS's and the user wanted to be notified if the prefix was seen if his AS would show up as the transit AS. The regular expression this user is now using is something like this:
	(((?<!20) 10$)|( 30$)|( 40$))
Now the ASpath regular expression will match if: The aspath ends with * 10 (where *  != 20, i.e. anything except 20) The aspath ends with 30 The aspath ends with 40 In all other cases it will generate an alarm and you'll be notified.

No comments

Leave a Reply

Your email address will not be published. Required fields are marked *