North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: [admin] [summary] RE: YouTube IP Hijacking

  • From: Alex Pilosov
  • Date: Mon Feb 25 15:49:15 2008

On Mon, 25 Feb 2008, Danny McPherson wrote:

> > ** Paul Wall brought up the fact that even obviously bogus routes (1/8
> > and 100/7) were accepted by 99% of internet during an experiment.
> I'm not sure why this would surprise anyone.
To me and you, it's not surprising. To public, it might be. Even the 
majority of nanog attendees I think would be surprised. 

> > ** What I'd like to see discussed: Issues of filtering your transit
> > downstream customers, who announce thousands of routes. Does *anyone*
> > do it?
> Lots of folks do.  The interesting bit is that even then, those same
> providers would accept perhaps even those customer routes from their
> peers implicitly.
Well, in this case, they *aren't* filtering! (unless I am misunderstanding
what you are saying, due to repeated use of 'their').

> > ** Things like PHAS won't work if hijacker keeps the origin-AS same
> > (by getting their upstream to establish session with different ASN)
> NO, that's not even necessary.  Simple originate the route from the
> legit AS, and then transit it with the local AS as a transit AS. AS path
> manipulation is trivial.
Oh yeah, d'oh! Thanks for correction. But that is also an important point
against PHAS and IRRPT filtering - they are powerless against truly
malicious hijacker (one that would register route in IRR, add the
right origin-as to AS-SET, and use correct origin).

> > ** What I'd like to see discussed: Who (ICANN/RIRs/LIRs) is actively
> > working on implementing "chain of trust" of IP space allocations?
> >
> > * Ways to address the issue without cooperation of 3491:
> > ** Filtering anything coming out of 17557
> Bad idea.
Obviously :)

> > ** Suggestions given:
> > ** What I'd like to see discussed: Can an network operator, *today*,
> > filter the "possibly bogus" routes from their peers, without manual
> > intervention, and without false positives?
> Sure, if they want to dedicate an engineer to it, automate policy
> deployment and deal with brokenness by turning steam valves.
I'd hear to see who does it, and get them to present the "operational 
lessons" at the next nanog!

> > * Yelling at people who don't filter
> That's been productive for over a decade now.
> > ** Per above, 3491 isn't the only one who filters. In fact, claims
> > were made that *nobody* filters "large enough" downstreams. (beyond
> > aspath/maxpref)
> Wrong.
Likewise, I'd like to know who does this (names) and how can we get them
to present best practices at the next nanog!