False posative: A new downstream .... has been detected

[b4ldr]

Describe the bug
We have configured bgpalerter using mostly the generated example configuration. After leaving the daemon runing over night i notice the following reports which to me seem like false positives:

2022-01-11T22:00:05+00:00 verbose: A new downstream of AS14907 has been detected: AS1299
2022-01-11T22:00:05+00:00 verbose: A new downstream of AS14907 has been detected: AS6939
2022-01-11T22:00:13+00:00 verbose: A new downstream of AS14907 has been detected: AS2914
2022-01-11T22:00:13+00:00 verbose: A new downstream of AS14907 has been detected: AS3356

AS14907 is not a transit provider so this looks quite strange, however we do peer with rrc00, rrc03 and rrc23 and send them our full routing table and wonder if this could be the reason we are seeing theses alerts and if so is there a simple way to exclude our announcements to ris from the monitors?

Provide an example
full configure available https://gist.github.com/b4ldr/8a6ab36e981ff9e85bdd2f465e892519
output from pullapi: https://gist.github.com/b4ldr/22e4c36dcfa34d3abaa42d2a2a335739

Expected behavior
I did not expect any alerts for additional downstream

Are you using the binary or the source code?
binary

Your information
John Bond, Wikimedia Foundation (AS14907)

p.s. will send a comment to #397 once in production and thanks for al the work :)

[massimocandela]

Hi John,

Thanks for the proper bug reporting. I gave a look at the RIS data. The prefixes involved are RIS beacons announced by AS12654 (RIS). It looks like the beacons pass through other ASes, reach 14907, and are sent back into RIS (e.g., AS-path 14907, 1299, 2914, 42473, 12654).

I'm going to patch it right now and exclude all RIS beacons prefixes. It looks like this case can happen only in the PathNeighbors monitor, the other monitors are not affected. What you can do in the meanwhile is: if the warnings are a few and always about the same downstream ASes, you can temporarily add those ASes as downstreams in prefixes.yaml. Alternatively, you can remove the entire downstream list (including the "downstream:" part) to disable the downstream monitoring leaving the rest intact).

[b4ldr]

Awesome thanks for the quick response Massimo, currently we are only in the testing phase so this is not a massive issue for us and happy to test any updates.

for no ill just add the ris AS to our list of downstream thanks and let me know if you need anything more from our side

[massimocandela]

Try this pre-release which uses the code in the release branch. Remember to revert this.
I'm running it in our test environment monitoring 2914 (we also peer with RIS, but I never received that kind of "loop"). I will release it as soon as I'm sure everything is fine.

[b4ldr]

Thanks have updated to this version will let you know what we see.

[b4ldr]

We have had this running for about 24 hours now and not seen any additional alerts so i will tentatively close this, thanks for the speedy response

[massimocandela]

This has been released in v1.29.0. Some other minor fixes were added since this ticket; please, update your pre-release binaries with the released ones (or build it again).