On Mon, 6 May 2019 16:40:42 +0000
Michel Py <[email protected]> wrote:
Hi Keith,
Besides what you wrote (comments in-line), I think we need a very clear
definition of what is a private network.
If an organization is an operator, ISP, or hosting company, the part of their network that carries public traffic is not
private.
For a router, the management interface (if separate) is private, it's likely on a separate VLAN too. But the interfaces that
carry traffic form / to customers, subscribers, and hosted services are public.
I am afraid I cannot agree to this definition.
First if all, if traffic is either public or private saying public traffic
cannot
be private isn't very helpful.
Beyond that, we have a bit of a problem in that RFC1918 is so used by customers
that you cannot
rely on being able to use it much if you are trying attach to multiple
customers in more than a
trivial way like management interfaces.
There are systems and services that are so sensitive or compromise so costly
that it is imperative
that no contact from outside the local ASN be allowed. It becomes a form of
Russian roulette to put
a world routable address on them. So we have had to come up with an
alternative. Many have resorted
to 30.0.0.0/8 in the voice community since the attacks on voice resources are
so heavy and persistent
that a ddos can result from trying to use packet filters to protect some
systems. I would argue that
if a host and the server that provides service to that host are within the same
ASN then the network
and it's traffic is private.
Michel's definition also has grey areas when it comes to ip-ip tunnels. If
tunnel traffic has what we
all would call public traffic is the tunnel itself public?
Does ARIN or any of the other RIR's really want to get into these kind of
network engineering and
operations debates?
Larry Ash
Mountain West Technologies
Keith W. Hare wrote :
If an organization uses a IPv4 prefix allocated/assigned to some other
organization (the DoD 30.0.0.0/8 for example)
within their internal network and filters out all references at the edges of
their network so that the general public
never sees any references, is that BGP Hijacking? I’m pretty sure we can agree
that this is not BGP hijacking.
If you would add to that that they do not transport any non-organization data over it / be in context with what I wrote above
about private network, I would agree.
I'm not sure there is a name for that, would be a good idea to have one.
Loitering ?
If an organization uses a IPv4 prefix allocated/assigned to some other
organization (the DoD 30.0.0.0/8 for example)
within their publically visible network and filters out all references at the
edges of their network so that the rest
of the internet never sees any references, is that BGP Hijacking? This is an
edge case that we need to consider carefully.
I agree, especially if they transport customer / subscriber data over it. I
think we should call that squatting.
If Organization A has an agreement/letter of authority to announce addresses
that has been allocated/assigned to
Organization B, and Organization B wants to replace Organization A with
Organization C, but there was some onerous
termination clause with Organization A that has not been met so Organization A
continues to announce Organization B’s
address space, is that BGP Hijacking? To me, this sounds like a contract
dispute that depends on the contents of the
private contract between A and B.
Correct. ARIN has allocated addresses to organization B. In that case, org A and org B have to sort out their differences in the
legal system.
However, we have to be careful with similarities with your next point just below. What are the differences between them ? the
lack of a contract or agreement, or the fact that ARIN does not have access to it ? or some other factor ?
If an organization A does not have a an agreement/letter of authority to
announce addresses that has been
allocated/assigned to Organization B but does so anyhow and allows that
announcement to propagate to the
general internet, is that BGP Hijacking? Seems highly likely to be BGP
Hijacking.
I agree. Same as above though, we need a very clear definition of what constitutes not having an agreement or a contract before
ARIN can make the determination that it is indeed hijacking.
From the outside, how do we know that an agreement/letter of authority does not
exist, is invalid, or is forged?
This is where we have to be very complete, very comprehensive, and as much
exhaustive as possible.
If an organization sets up routing so that all connections from the inside of
it’s network to a particular
resource outside of its network go through an particular router/proxy server,
Is that BGP Hijacking?
Can you develop this one a little further ? Are we talking about traffic engineering / traffic shaping / net neutrality / packet
classification / QOS ?
Michel.
_______________________________________________
ARIN-PPML
You are receiving this message because you are subscribed to
the ARIN Public Policy Mailing List ([email protected]).
Unsubscribe or manage your mailing list subscription at:
https://lists.arin.net/mailman/listinfo/arin-ppml
Please contact [email protected] if you experience any issues.
Larry Ash
Mountain West Technologies
123 W 1st St.
Casper, WY 82601
Office 307 233-8387
_______________________________________________
ARIN-PPML
You are receiving this message because you are subscribed to
the ARIN Public Policy Mailing List ([email protected]).
Unsubscribe or manage your mailing list subscription at:
https://lists.arin.net/mailman/listinfo/arin-ppml
Please contact [email protected] if you experience any issues.
