nanog mailing list archives
Re: Yet another BGP hijacking towards AS16509
From: Job Snijders via NANOG <nanog () nanog org>
Date: Tue, 23 Aug 2022 23:42:54 +0200
Hi Douglas, group, On Tue, Aug 23, 2022 at 03:03:31PM -0300, Douglas Fischer wrote:
I was thinking a little about this case... I'm almost certain that this case cited by Siyuan would have been avoided if there was a cross-check between the items contained in the AS-SET objects (and others such as the Route-Set), and the "member-of" attributes of the referred objects.
You are right that stronger 'arcs' ("connections") between the various IRR objects at first glance potentially offer a solution; unfortunately the objects exist in separate databases ("namespaces"), one has to be cautious for object name collisions! Cross-references (through "member-of:" <> "members:" links) for RPSL objects only work within a single IRR source, in other words: if objects exist in the same database. An object in one database can't reference (through 'member-of:') an object in a different database.
I participated in a small exchange of ideas about this, and there were questions about whether this crosscheck should be done by the consumer of the IRR data, or if it should be validated at the time of insertion in the base through NRTM.
As far as I understand the data model, only the ultimate consumer of IRR data would be in a position to enforce some kind of policy (such as requiring cross-references both ways 'members:' <> 'member-of:'); the middle layer (software packages like IRRD) lack context. I know of examples where fairly robust RTBH filters were generated using members:/member-of pairing as a prerequisite; but I'm not aware of a "cross-RIR" solution. Kind regards, Job
Current thread:
- Yet another BGP hijacking towards AS16509 Siyuan Miao (Aug 22)
- Re: Yet another BGP hijacking towards AS16509 Job Snijders via NANOG (Aug 23)
- Re: [EXTERNAL] Re: Yet another BGP hijacking towards AS16509 Compton, Rich A (Aug 23)
- Re: [EXTERNAL] Re: Yet another BGP hijacking towards AS16509 Job Snijders via NANOG (Aug 23)
- Re: [EXTERNAL] Re: Yet another BGP hijacking towards AS16509 Claudio Jeker (Aug 24)
- Re: [EXTERNAL] Re: Yet another BGP hijacking towards AS16509 Job Snijders via NANOG (Aug 24)
- Re: [EXTERNAL] Re: Yet another BGP hijacking towards AS16509 Randy Bush (Aug 24)
- Re: [EXTERNAL] Re: Yet another BGP hijacking towards AS16509 Compton, Rich A (Aug 23)
- Re: Yet another BGP hijacking towards AS16509 Job Snijders via NANOG (Aug 23)
- Re: Yet another BGP hijacking towards AS16509 Job Snijders via NANOG (Aug 23)
- <Possible follow-ups>
- Re: Yet another BGP hijacking towards AS16509 Siyuan Miao (Aug 22)