nanog mailing list archives
Re: [admin] [summary] RE: YouTube IP Hijacking
From: Danny McPherson <danny () tcb net>
Date: Mon, 25 Feb 2008 13:11:15 -0700
On Feb 25, 2008, at 12:51 PM, Alex Pilosov wrote:
** Nobody brought up the important point - the BGP announcement filtering are only as secure as the weakest link. No [few?] peers or transits are filtering "large" ISPs (ones announcing few hundred routes and up). Thereare a great many of them, and it takes only one of them to mess up filtering a downstream customer for the route to be propagated.
Yes, that was my implicit point to Pekka. Even if you do everything feasible today (i.e., explicitly filter customers, some amount of policy for peers, and perhaps a few hacks for multi-homed customers), you're still pretty much screwed if someone announces your address space. Heck, you're as likely to accept the announcement as anyone.
** Paul Wall brought up the fact that even obviously bogus routes (1/8 and100/7) were accepted by 99% of internet during an experiment.
I'm not sure why this would surprise anyone.
** What I'd like to see discussed: Issues of filtering your transitdownstream customers, who announce thousands of routes. Does *anyone* doit?
Lots of folks do. The interesting bit is that even then, those same providers would accept perhaps even those customer routes from their peers implicitly.
* Typos vs Malicious announcements** Some ways of "fixing" the problem (such as IRR filtering) only addressthe typos or unintentional announcements.
You mean as opposed to intentionally malice acts? Well, not completely. See Pekka's email, for example. Of course, it does vary widely across IRRs, etc..
There's full agreement that IRR is full of junk, which is not authenticated in any sort.
Mostly, though not completely.
** Things like PHAS won't work if hijacker keeps the origin-AS same (bygetting their upstream to establish session with different ASN)
NO, that's not even necessary. Simple originate the route from the legit AS, and then transit it with the local AS as a transit AS. AS path manipulation is trivial.
** What I'd like to see discussed: Who (ICANN/RIRs/LIRs) is actively working on implementing "chain of trust" of IP space allocations? * Ways to address the issue without cooperation of 3491: ** Filtering anything coming out of 17557
Bad idea.
** Suggestions given: ** What I'd like to see discussed: Can an network operator, *today*, filter the "possibly bogus" routes from their peers, without manual intervention, and without false positives?
Sure, if they want to dedicate an engineer to it, automate policy deployment and deal with brokenness by turning steam valves.
* Yelling at people who don't filter
That's been productive for over a decade now.
** Per above, 3491 isn't the only one who filters. In fact, claims were made that *nobody* filters "large enough" downstreams. (beyond aspath/maxpref)
Wrong. -danny
Current thread:
- Re: YouTube IP Hijacking, (continued)
- Re: YouTube IP Hijacking Steven M. Bellovin (Feb 25)
- Secure BGP (Was: YouTube IP Hijacking) michael.dillon (Feb 25)
- Re: Secure BGP (Was: YouTube IP Hijacking) Jeroen Massar (Feb 25)
- Re: Secure BGP (Was: YouTube IP Hijacking) Sandy Murphy (Feb 25)
- Re: YouTube IP Hijacking Scott Francis (Feb 25)
- Re: YouTube IP Hijacking Hank Nussbacher (Feb 25)
- Re: YouTube IP Hijacking Patrick W. Gilmore (Feb 25)
- RE: YouTube IP Hijacking Tomas L. Byrnes (Feb 25)
- Re: YouTube IP Hijacking Josh Karlin (Feb 25)
- [admin] [summary] RE: YouTube IP Hijacking Alex Pilosov (Feb 25)
- Re: [admin] [summary] RE: YouTube IP Hijacking Danny McPherson (Feb 25)
- Re: [admin] [summary] RE: YouTube IP Hijacking Alex Pilosov (Feb 25)
- Re: [admin] [summary] RE: YouTube IP Hijacking Danny McPherson (Feb 25)
- Re: [admin] [summary] RE: YouTube IP Hijacking Danny McPherson (Feb 25)
- RE: [admin] [summary] RE: YouTube IP Hijacking Barry Greene (bgreene) (Feb 25)
- Re: [admin] [summary] RE: YouTube IP Hijacking Arnd Vehling (Feb 26)
- Re: [admin] [summary] RE: YouTube IP Hijacking Leo Vegoda (Feb 26)
- Re: [admin] [summary] RE: YouTube IP Hijacking Arnd Vehling (Feb 26)
- Re: [admin] [summary] RE: YouTube IP Hijacking Adrian Chadd (Feb 25)
- Re: [admin] [summary] RE: YouTube IP Hijacking hjan (Feb 26)
- Re: [admin] [summary] RE: YouTube IP Hijacking Christopher Morrow (Feb 26)