Hi,
On Thu, 2 May 2019, Tom Samplonius wrote:
Well, since transit providers universally use IRR, it is unlikely that
hijacks even work, unless there are legacy ports where IRR was not implemented.
Yes, filters do fail sometimes... :/
http://peering.exposed/ has a list of IX that have secure route servers
(secure meaning that they implement IRR). It is a significant number, and it
is increasing.
Route servers are not an exclusive way of peering.
Some well-known networks have a policy not to use route servers, afaik.
The problem with this BGP hi-jack proposal, is the problem statement
itself. How many hijacks are happening in the ARIN region per month?
10? 100? 1000?
How many of them reach an ARIN mailbox?
In fact we got some numbers from LACNIC (i.e. cases reported to LACNIC),
but i haven't seen it from ARIN yet.
And why is IRR not the solution to hijacks, since it is widely (but not
universally) implemented?
Well, if it's possibly for anyone to add records to an IRR database
without proper authentication...
RPKI however is different, but while its deployment is immature, something
at policy level is needed.
I suspect the number of hijacks in the ARIN region is basically zero,
because even if IRR it not universal, it just takes a few larger
networks to block the spread of hijacked routes. And if hijackers can?t
hijack globally, then why hijack at all?
To inject toxic packets to specific networks.
To capture packets from specific networks.
To divert law enforcement, while doing any of the previous.
All of the tier 1s that I talk to have moved from manually maintained
prefix lists to fully automated IRR maintenance on customer edge ports.
Great! Did that stop business models where hijacks are involved? I guess
not... :/
The Internet Society has created the MANRS initiative
(https://www.manrs.org/) to encourage all networks globally to implement
route security (among other things), but strangely there hasn?t been a
single mention of it in any of these threads. MANRS is the best way to
address hijacking, since it prevents hijacking from even happening
(along with other bad things like spoofing).
It's referenced on
https://politicas.lacnic.net/politicas/detail/id/LAC-2019-5
(LACNIC... in spanish)
It will be referenced in updated versions for RIPE and ARIN too.
Unfortunately MANRS takeup is even lower than RPKI, so something at policy
level is needed (i'm repeating myself...)
Regards,
Carlos
--
Tom Samplonius
VP of Technology
Urban Communications Inc.
[email protected]
_______________________________________________
ARIN-PPML
You are receiving this message because you are subscribed to
the ARIN Public Policy Mailing List ([email protected]).
Unsubscribe or manage your mailing list subscription at:
https://lists.arin.net/mailman/listinfo/arin-ppml
Please contact [email protected] if you experience any issues.
