<div dir="ltr"><div class="gmail_default" style="font-family:courier new,monospace;font-size:small">Talking to a friend, he suggested to map the specific ASNs in this situation, and treat it separately.<br>Well, I don't think this is scalable...<br><br>Just to give you an idea of how big is this question, I have made some scripts to count how much organizations exists with 1, 2, 3, and so ASNs allocated.<br></div><div class="gmail_default" style="font-family:courier new,monospace;font-size:small"><br><br>Here goes(It is Scary!):<br><br>fischer-mac-3:~ fischerdouglas$ curl -R -O <a href="https://www.nro.net/wp-content/uploads/apnic-uploads/delegated-extended">https://www.nro.net/wp-content/uploads/apnic-uploads/delegated-extended</a><br> % Total % Received % Xferd Average Speed Time Time Time Current<br> Dload Upload Total Spent Left Speed<br>100 41.6M 100 41.6M 0 0 1052k 0 0:00:40 0:00:40 --:--:-- 1221k<br>fischer-mac-3:~ fischerdouglas$ <br>fischer-mac-3:~ fischerdouglas$<br>fischer-mac-3:~ fischerdouglas$ awk -F\| '{if($3=="asn" && $7=="assigned") print $4,$8}' delegated-extended > NRO-ASNs.txt<br>fischer-mac-3:~ fischerdouglas$ <br>fischer-mac-3:~ fischerdouglas$ awk '{ASNs[$2]++} END { for(Line in ASNs) print ASNs[Line] }' NRO-ASNs.txt | awk '{h[$1]++} END { for(k in h) print k, h[k] }' | sort -n<br>1 50627<br>2 3607<br>3 1155<br>4 517<br>5 321<br>6 169<br>7 123<br>8 99<br>9 50<br>10 50<br>11 48<br>12 35<br>13 23<br>14 23<br>15 25<br>16 21<br>17 26<br>18 12<br>19 15<br>20 15<br>21 20<br>22 10<br>23 14<br>24 11<br>25 6<br>26 8<br>27 9<br>28 7<br>29 6<br>30 6<br>31 7<br>32 5<br>33 4<br>34 8<br>35 5<br>36 3<br>37 5<br>38 1<br>39 5<br>40 5<br>41 3<br>42 3<br>43 1<br>44 1<br>45 3<br>46 3<br>47 1<br>49 2<br>50 2<br>51 1<br>52 1<br>53 1<br>54 1<br>55 1<br>56 4<br>57 3<br>58 2<br>60 1<br>61 2<br>64 1<br>66 1<br>68 1<br>69 1<br>71 1<br>72 2<br>76 3<br>77 1<br>78 1<br>79 1<br>80 2<br>81 2<br>84 2<br>88 1<br>91 1<br>92 1<br>94 2<br>95 1<br>99 1<br>100 1<br>102 1<br>105 1<br>109 1<br>111 1<br>114 1<br>116 1<br>119 1<br>121 1<br>124 1<br>136 1<br>143 1<br>151 2<br>152 1<br>162 1<br>169 1<br>218 1<br>220 1<br>238 1<br>300 1<br>355 1<br>384 1<br>457 1<br>473 1<br>481 1<br>502 1<br>604 1<br>fischer-mac-3:~ fischerdouglas$<br><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">Em qui., 7 de mai. de 2020 às 14:24, Douglas Fischer <<a href="mailto:fischerdouglas@gmail.com">fischerdouglas@gmail.com</a>> escreveu:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div class="gmail_default" style="font-family:courier new,monospace;font-size:small">Hello everyone<br><br>P.S .: I apologize, but I write for multiple email lists, precisely because it is a topic that interests multiple regions.<br>P.S.2: The objective in this proposal is to <span lang="en"><span title="">make feasible</span></span> the creation of validation mechanisms for the creation of IRR Route / Route6 Objects, without requiring any type of change in the protocols currently in use. Just adjusting the information already public and available.<br></div><div class="gmail_default" style="font-family:courier new,monospace;font-size:small"><br></div><div class="gmail_default" style="font-family:courier new,monospace;font-size:small"><br><br>I am from Brazil, and Registro.BR (National Internet Registry) provides a file[1] of delegations in a format slightly different from the official NRO format [2].<br><br>In the link below [1] it is possible to see a list with an unequivocal association between the ASN and the IP block delegated to the owner.<br>[1] <a href="ftp://ftp.registro.br/pub/numeracao/origin/nicbr-asn-blk-latest.txt" target="_blank">ftp://ftp.registro.br/pub/numeracao/origin/nicbr-asn-blk-latest.txt</a><br>Note: Registro.BR delegations are also published in the official NRO format, included in LACNIC's public archive [3] to which <a href="http://NIC.BR" target="_blank">NIC.BR</a> is linked.<br><br>This unequivocal link allows us an extra layer of validation with respect to Hijack of prefixes, and also the creation of INVALID Route / Route6 objects in IRR.<br><br>Inspired by this file format[1], I decided to take a closer look at the official NRO format.<br>As expected, I was able to establish a link between the Owner of the ASN, and the Owner of the IPv4 / IPv6. However, this link is NOT unambiguous.<br><br>The attribute that makes this link is Opaque-ID and is described on NRO oficial format file[2].<br>This attribute referred to an organization that holds some type of numerical resource on the Internet.<br><br>In 90-95% of cases, the ASN <-> OpaqueID <-> InetNum link is assertive.<br>However, there are cases in which this association is not sufficient to be assertive.<br><br>A) Delegations of IPv4 and / or IPv6 blocks to end users without the delegation of an ASN to that institution.<br> - These cases do not allow an assertive link between ASN and IPv4 / IPv6, so they ARE NOT THE FOCUS of my analysis.<br><br>B) Organizations that own multiple sets of ASN <-> InetNum.<br> B.1 - The cause that I believe to be the most common for this is mergers and acquisitions of organizations, where despite that OpaqueID referring to the same organization (CNPJ / EIN / RUC / Fiscal Number), the ASN sets <- > InetNum are from different Service Providers (sometimes even in geographically different regions).<br> B.2 - But there are other examples of this, such as the need for specific segmentation of networks within the same organization.<br><br>By consulting in the Whois databases some of these ASNs, it is possible to verify that the linking information between Autnum <-> Inetnum exists within the whois databases.<br><br>fischer-mac-3: ~ fischerdouglas $ whois -h <a href="http://whois.lacnic.net" target="_blank">whois.lacnic.net</a> AS28000 | grep num:<br>aut-num: AS28000<br>inetnum: 179.0.156 / 22<br>inetnum: 200.7.84 / 23<br>inetnum: 2001: 13c7: 7001 :: / 48<br><br><br>The suggestion itself:<br>---------------------<br>In the official format of the NRO [2], the "Extensions" column provides for the addition of data that was not yet foreseen.<br>In this column, in the IPv4 and IPv6 resource lines, if that block is associated with any ASN, add the ASN to which that block is associated.<br><br><br><br></div><div class="gmail_default" style="font-family:courier new,monospace;font-size:small">The questions:<br>-------------<br></div><div class="gmail_default" style="font-family:courier new,monospace;font-size:small"> - Any consideration about that?<br></div><div class="gmail_default" style="font-family:courier new,monospace;font-size:small"> - What is the path to reach the right persons to make a official proposal?<br></div><div class="gmail_default" style="font-family:courier new,monospace;font-size:small"><br><br>P.S.3:<br>Yes, I know that we have entered the era of RPKI.<br>Yes, I know that probably in 5-6 years we will have another 90% of DFZ as VALID.<br>But I believe that such an action would require minimal effort, ample result, and would also serve as an incentive for the diversifying Owner of IP blocks to move and create their ROAs.<br><br><br><br>Examples of organizations with multiple sets of AutNum<->InetNum:<br>B.1.a<br> "TELEFÔNICA BRASIL S.A" with 9 ASNs<br> 10429, 11419, 16885, 16911, 18881, 19182, 22092, 26599, 27699.<br>B.1.b<br> "Telecom Argentina S.A." with 11 ASNs<br> 7303, 7934, 10318, 10481, 10895, 10983, 11356, 12264, 21590, 26608, 27871.<br>B.2.a<br> "Núcleo de Inf. E Coord. Do Ponto BR - <a href="http://NIC.BR" target="_blank">NIC.BR</a>" with 16 ASNs<br> 10906, 11284, 11431, 11644, 11752, 12136, 13874, 14026, 14650, 20121, 22548, 26162, 263044, 28345, 53035, 61580.<br>B.2.b</div><div class="gmail_default" style="font-family:courier new,monospace;font-size:small"> "LACNIC - Latin American and Caribbean IP address" with 7 ASNs.<br> 28000, 28001, 28002, 28119, 52224, 264845, 264846<br><br><br><br>[2] <a href="https://www.nro.net/wp-content/uploads/nro-extended-stats-readme5.txt" target="_blank">https://www.nro.net/wp-content/uploads/nro-extended-stats-readme5.txt</a><br>[3] <a href="ftp://ftp.lacnic.net/pub/stats/lacnic/delegated-lacnic-extended-latest" target="_blank">ftp://ftp.lacnic.net/pub/stats/lacnic/delegated-lacnic-extended-latest</a></div><br>-- <br><div dir="ltr"><font size="2"><span style="font-family:courier new,monospace">Douglas Fernando Fischer</span><br style="font-family:courier new,monospace"><span style="font-family:courier new,monospace">Engº de Controle e Automação</span></font><div style="padding:0px;margin-left:0px;margin-top:0px;overflow:hidden;color:black;text-align:left;line-height:130%;font-family:courier new,monospace"></div></div></div>
</blockquote></div><br clear="all"><br>-- <br><div dir="ltr" class="gmail_signature"><font size="2"><span style="font-family:courier new,monospace">Douglas Fernando Fischer</span><br style="font-family:courier new,monospace"><span style="font-family:courier new,monospace">Engº de Controle e Automação</span></font><div style="padding:0px;margin-left:0px;margin-top:0px;overflow:hidden;color:black;text-align:left;line-height:130%;font-family:courier new,monospace"></div></div>