nanog mailing list archives
Re: "Tactical" /24 announcements
From: Amir Herzberg <amir.lists () gmail com>
Date: Mon, 9 Aug 2021 15:55:08 -0400
Bill said,
Is this seen as route table pollution, or a necessary evil in today'sworld? Pollution. And it won't save you from a hijack either, since your adversary's /24 routes will compete and win for at least part of the Internet.
I agree, of course, that moving to announce every /24 would pollute the net. Note that if you use ROAs, you'll also have to make corresponding /24 ROAs, and I don't know if this won't have problematic impact also on the RPKI infrastructure. Not good. But: - assuming the /24 will have proper ROA, and ROV is reasonably deployed, this _would_ protect most of the traffic sent to the /24 from a hijacker announcing /24 (and even more if hijack is of shorter prefix, of course). - As long as ROV isn't _very_ widely deployed, it would often fail to protect against the hijack without such measure (competing /24), so this will remain necessary (if you wish to prevent hijack). We've done some relevant simulations, as well as proposed a simple extension to ROV, called ROV++, which protects against such sub-prefix hijacks without requiring competing /24 announcement, and effective already with modest adoption (of ROV++) by BGP routers. (Should also be assisted by mixed ROV / ROV++ adoption but we didn't do these simulations yet.) See at: https://www.ndss-symposium.org/ndss-paper/rov-improved-deployable-defense-against-bgp-hijacking/ tl; dr : ROV++ routers would blackhole subprefix traffic rather than send it on a route which would be hijacked (i.e., if the route is to a neighbor AS that announced legit prefix _and_ hijacked subprefix). Simple. [and no, I'm not happy with the resulting disconnections. but it's better than hijack imho] best, Amir -- Amir Herzberg Comcast professor of Security Innovations, Computer Science and Engineering, University of Connecticut Homepage: https://sites.google.com/site/amirherzberg/home `Applied Introduction to Cryptography' textbook and lectures: https://sites.google.com/site/amirherzberg/applied-crypto-textbook <https://sites.google.com/site/amirherzberg/applied-crypto-textbook> On Mon, Aug 9, 2021 at 12:10 PM William Herrin <bill () herrin us> wrote:
On Mon, Aug 9, 2021 at 8:48 AM Billy Croan <BCroan () unrealservers net> wrote:How does the community feel about using /24 originations in BGP as a tactical advantage against potential bgp hijackers? How many routers out there today would be affected if everyone did this?Hi Billy, I did some math on this years ago and it worked out to about 8.5 million IPv4 routes. That's 10 times the current table size, more than any big-iron router can handle today. If everybody did it, it'd crash the Internet.Is this seen as route table pollution, or a necessary evil in today'sworld? Pollution. And it won't save you from a hijack either, since your adversary's /24 routes will compete and win for at least part of the Internet.Are there any big networks that drop or penalize announcements like this?Not in an automated way. Which is bad news for you if you do this because it means getting folks to -undo- the restrictions they manually enforce on your specific address space is nearly impossible. Regards, Bill Herrin -- William Herrin bill () herrin us https://bill.herrin.us/
Current thread:
- "Tactical" /24 announcements Billy Croan (Aug 09)
- Re: "Tactical" /24 announcements Martijn Schmidt via NANOG (Aug 09)
- Re: "Tactical" /24 announcements Saku Ytti (Aug 09)
- Re: "Tactical" /24 announcements William Herrin (Aug 09)
- Re: "Tactical" /24 announcements Masataka Ohta (Aug 09)
- Re: "Tactical" /24 announcements William Herrin (Aug 09)
- Re: "Tactical" /24 announcements Sabri Berisha (Aug 09)
- Re: "Tactical" /24 announcements William Herrin (Aug 09)
- Re: "Tactical" /24 announcements Masataka Ohta (Aug 10)
- Re: "Tactical" /24 announcements Masataka Ohta (Aug 09)
- Re: "Tactical" /24 announcements Amir Herzberg (Aug 09)
- Re: "Tactical" /24 announcements Martijn Schmidt via NANOG (Aug 09)
- Re: "Tactical" /24 announcements Adam Thompson (Aug 09)
- Re: "Tactical" /24 announcements Hank Nussbacher (Aug 09)
- Re: "Tactical" /24 announcements Tom Beecher (Aug 09)
- Re: "Tactical" /24 announcements Rabbi Rob Thomas (Aug 09)
- Re: "Tactical" /24 announcements Mark Tinka (Aug 10)
- Re: "Tactical" /24 announcements Tom Hill (Aug 11)
- Re: "Tactical" /24 announcements Mark Tinka (Aug 11)
- Re: "Tactical" /24 announcements Tom Beecher (Aug 09)
- Re: "Tactical" /24 announcements Baldur Norddahl (Aug 09)