nanog mailing list archives
Re: [admin] [summary] RE: YouTube IP Hijacking
From: Alex Pilosov <alex () pilosoft com>
Date: Mon, 25 Feb 2008 15:22:03 -0500 (EST)
On Mon, 25 Feb 2008, Danny McPherson wrote:
** Paul Wall brought up the fact that even obviously bogus routes (1/8 and 100/7) were accepted by 99% of internet during an experiment.I'm not sure why this would surprise anyone.
To me and you, it's not surprising. To public, it might be. Even the majority of nanog attendees I think would be surprised.
** What I'd like to see discussed: Issues of filtering your transit downstream customers, who announce thousands of routes. Does *anyone* do it?Lots of folks do. The interesting bit is that even then, those same providers would accept perhaps even those customer routes from their peers implicitly.
Well, in this case, they *aren't* filtering! (unless I am misunderstanding what you are saying, due to repeated use of 'their').
** Things like PHAS won't work if hijacker keeps the origin-AS same (by getting their upstream to establish session with different ASN)NO, that's not even necessary. Simple originate the route from the legit AS, and then transit it with the local AS as a transit AS. AS path manipulation is trivial.
Oh yeah, d'oh! Thanks for correction. But that is also an important point against PHAS and IRRPT filtering - they are powerless against truly malicious hijacker (one that would register route in IRR, add the right origin-as to AS-SET, and use correct origin).
** What I'd like to see discussed: Who (ICANN/RIRs/LIRs) is actively working on implementing "chain of trust" of IP space allocations? * Ways to address the issue without cooperation of 3491: ** Filtering anything coming out of 17557Bad idea.
Obviously :)
** Suggestions given: ** What I'd like to see discussed: Can an network operator, *today*, filter the "possibly bogus" routes from their peers, without manual intervention, and without false positives?Sure, if they want to dedicate an engineer to it, automate policy deployment and deal with brokenness by turning steam valves.
I'd hear to see who does it, and get them to present the "operational lessons" at the next nanog!
* Yelling at people who don't filterThat's been productive for over a decade now.** Per above, 3491 isn't the only one who filters. In fact, claims were made that *nobody* filters "large enough" downstreams. (beyond aspath/maxpref)Wrong.
Likewise, I'd like to know who does this (names) and how can we get them to present best practices at the next nanog! -alex
Current thread:
- Secure BGP (Was: YouTube IP Hijacking), (continued)
- Secure BGP (Was: YouTube IP Hijacking) michael.dillon (Feb 25)
- Re: Secure BGP (Was: YouTube IP Hijacking) Jeroen Massar (Feb 25)
- Re: Secure BGP (Was: YouTube IP Hijacking) Sandy Murphy (Feb 25)
- Re: YouTube IP Hijacking Scott Francis (Feb 25)
- Re: YouTube IP Hijacking Hank Nussbacher (Feb 25)
- Re: YouTube IP Hijacking Patrick W. Gilmore (Feb 25)
- RE: YouTube IP Hijacking Tomas L. Byrnes (Feb 25)
- Re: YouTube IP Hijacking Josh Karlin (Feb 25)
- [admin] [summary] RE: YouTube IP Hijacking Alex Pilosov (Feb 25)
- Re: [admin] [summary] RE: YouTube IP Hijacking Danny McPherson (Feb 25)
- Re: [admin] [summary] RE: YouTube IP Hijacking Alex Pilosov (Feb 25)
- Re: [admin] [summary] RE: YouTube IP Hijacking Danny McPherson (Feb 25)
- Re: [admin] [summary] RE: YouTube IP Hijacking Danny McPherson (Feb 25)
- RE: [admin] [summary] RE: YouTube IP Hijacking Barry Greene (bgreene) (Feb 25)
- Re: [admin] [summary] RE: YouTube IP Hijacking Arnd Vehling (Feb 26)
- Re: [admin] [summary] RE: YouTube IP Hijacking Leo Vegoda (Feb 26)
- Re: [admin] [summary] RE: YouTube IP Hijacking Arnd Vehling (Feb 26)
- Re: [admin] [summary] RE: YouTube IP Hijacking Adrian Chadd (Feb 25)
- Re: [admin] [summary] RE: YouTube IP Hijacking hjan (Feb 26)
- Re: [admin] [summary] RE: YouTube IP Hijacking Christopher Morrow (Feb 26)
- RE: [admin] [summary] RE: YouTube IP Hijacking Barry Greene (bgreene) (Feb 26)