Re: [admin] [summary] RE: YouTube IP Hijacking

[Danny McPherson <danny () tcb net>]

On Feb 25, 2008, at 1:22 PM, Alex Pilosov wrote:

> Well, in this case, they *aren't* filtering! (unless I am  
> misunderstanding
> what you are saying, due to repeated use of 'their').

What I'm saying is that best case today ISPs police routes
advertised by their customers, yet they accept routes implicitly
(including routes from address space that may belong to their
customers) from peers.  Seems a little hokey, eh?

> Oh yeah, d'oh! Thanks for correction. But that is also an important  
> point
> against PHAS and IRRPT filtering - they are powerless against truly
> malicious hijacker (one that would register route in IRR, add the
> right origin-as to AS-SET, and use correct origin).

Yep, pretty much.

> > Sure, if they want to dedicate an engineer to it, automate policy
> > deployment and deal with brokenness by turning steam valves.
> I'd hear to see who does it, and get them to present the "operational
> lessons" at the next nanog!

Maybe Curtis V. would present what ANS was doing in
1994 :-)  But now we've even got things like BGP route
refresh, incrementally updatable filters, and BGP
soft reconfiguration to ease the deployment burden.

There have been two or three panels on this exact topic
in the past, you can find them in the index of talks.
Unfortunately, the problem hasn't changed at all.  Perhaps
we could just replay those video streams :-)

-danny