intelmq icon indicating copy to clipboard operation
intelmq copied to clipboard
verified publisher icon certtools

Multiple ASNs/networks per IP?

Open sebix opened this issue 9 years ago • 9 comments

How to deal with IPs with multiple Network-mappings, like the one, we use in our tests:

dig +short 192.50.189.origin.asn.cymru.com TXT
"28333 | 189.50.192.0/20 | BR | lacnic | 2007-08-10"
"28333 | 189.50.192.0/22 | BR | lacnic | 2007-08-10"

This is the reason, why the tests fail in about 50% of runs*.

We could for example select the network which is bigger, or has a more recent date.

* additionally to another runtime-dependent bug which will be fixed by #542

sebix avatar Jun 14 '16 14:06 sebix

On Tue, Jun 14, 2016 at 07:48:42AM -0700, Sebastian wrote:

How to deal with IPs with multiple Network-mappings, like the one, we use in our tests:

dig +short 192.50.189.origin.asn.cymru.com TXT
"28333 | 189.50.192.0/20 | BR | lacnic | 2007-08-10"
"28333 | 189.50.192.0/22 | BR | lacnic | 2007-08-10"

In this case, the most specific / best match wins. So the smaller the netblock size (/22) (as long as the IP address falls into this netblock), the better. That usually wins on the routing level.

This is the reason, why the tests fail in about 50% of runs*.

We could for example select the network which is bigger, or has a more recent date.

use the smaller one (if the IP is inside the smaller range)

  • additionally to another runtime-dependent bug which will be fixed by #542

You are receiving this because you were assigned. Reply to this email directly or view it on GitHub: https://github.com/certtools/intelmq/issues/543

aaronkaplan avatar Jun 14 '16 15:06 aaronkaplan

Okay, and what about multiple ASNs?

$ dig +short 8.43.0.192.origin.asn.cymru.com TXT "16876 40528 | 192.0.43.0/24 | US | arin | 2009-06-29"

sebix avatar Jun 28 '16 08:06 sebix

This could be an anycasted netblock (?)

Variant 1: take the first ASN and put keep the original list of ASNs somewhere (extra?) Variant 2: duplicate the event for each ASN (ugly).

aaronkaplan avatar Jul 19 '16 08:07 aaronkaplan

I'd go for Variant 2. In Addition: a UUID-Field would be interesting to, If an event is splitted, the UUID will be duplicated. This enables the detection of events which are identical.

dmth avatar Jul 19 '16 08:07 dmth

Variant two is the way we agreed on later ago, e.g. in #373.

sebix avatar Jul 19 '16 09:07 sebix

Conclusion (offline): Currently we just take one of the ASNs, and solve the problem in a later release together with #373

sebix avatar Jul 19 '16 15:07 sebix

See also #35

ghost avatar Jun 02 '17 14:06 ghost

See also https://github.com/certtools/intelmq/pull/1136#discussion_r157773144

ghost avatar Jan 17 '18 09:01 ghost

The idea of Multiple values (IEP03) has been rejected. Linking events (IEP04) may be possible.

ghost avatar Aug 20 '21 13:08 ghost