Re: Prefix hijacking, how to prevent and fix currently

["George, Wes" <wesley.george () twcable com>]

On 8/28/14, 11:28 PM, "Mark Andrews" <marka () isc org> wrote:

>       The long term solution is to deploy RPKI and only use
>       transits which use RPKI. No RPKI support => no business.
>       Additionally make RPKI a peering requirement.

WG] So should we ask for that before, or after we get everyone to roll out
IPv6 everywhere by voting with our wallets?

*ducks*

On 8/28/14, 11:24 PM, "Fred Baker (fred)" <fred () cisco com> wrote:

> Are providers that neighbor with them implementing RPKI?
> If not, complain to the folks not indicating RPKI and therefore accepting
> a hijacked prefix.

WG]

%s/RPKI/inbound route filtering on downstream customers/g

There, FTFY

Tarun, other than directly contacting the originator, I recommend that you
complain to their upstream provider(s) (the neighboring ASN(s) in the
AS-Path) that they are accepting routes from their customer that they
shouldn't be, include proof that you own the block they are announcing,
and ask them to apply a prefix filter. Yes, this presupposes that you can
find valid contact info in whois or peeringdb, but it's the best we've got
right now.

RPKI isn't likely to fix this anytime soon, because it's mostly not
deployed where it needs to be to affect this problem. And just like
inbound route filtering and lots of other protective security measures,
[1, 2] and eating your vegetables, and getting more exercise, most folks
agree that it would help, but it's only useful with wide deployment, which
mostly needs to happen on "everyone else's network", and those things all
have an additional cost (time, money, or both) to deploy and maintain. The
unfortunate thing is that RPKI arguably takes more work than the others,
with a much longer time-horizon to see benefit during the incremental
deployment period.

Wes George

[1] https://www.routingmanifesto.org/manifesto/
[2] http://tools.ietf.org/html/draft-ietf-opsec-bgp-security

Anything below this line has been added by my company’s mail server, I
have no control over it.
-----------


This E-mail and any of its attachments may contain Time Warner Cable proprietary information, which is privileged, 
confidential, or subject to copyright belonging to Time Warner Cable. This E-mail is intended solely for the use of the 
individual or entity to which it is addressed. If you are not the intended recipient of this E-mail, you are hereby 
notified that any dissemination, distribution, copying, or action taken in relation to the contents of and attachments 
to this E-mail is strictly prohibited and may be unlawful. If you have received this E-mail in error, please notify the 
sender immediately and permanently delete the original and any copy of this E-mail and any printout.