North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: [admin] [summary] RE: YouTube IP Hijacking
On Mon, 25 Feb 2008, Danny McPherson wrote: > > ** Paul Wall brought up the fact that even obviously bogus routes (1/8 > > and 100/7) were accepted by 99% of internet during an experiment. > > I'm not sure why this would surprise anyone. To me and you, it's not surprising. To public, it might be. Even the majority of nanog attendees I think would be surprised. > > ** What I'd like to see discussed: Issues of filtering your transit > > downstream customers, who announce thousands of routes. Does *anyone* > > do it? > > Lots of folks do. The interesting bit is that even then, those same > providers would accept perhaps even those customer routes from their > peers implicitly. Well, in this case, they *aren't* filtering! (unless I am misunderstanding what you are saying, due to repeated use of 'their'). > > ** Things like PHAS won't work if hijacker keeps the origin-AS same > > (by getting their upstream to establish session with different ASN) > > NO, that's not even necessary. Simple originate the route from the > legit AS, and then transit it with the local AS as a transit AS. AS path > manipulation is trivial. Oh yeah, d'oh! Thanks for correction. But that is also an important point against PHAS and IRRPT filtering - they are powerless against truly malicious hijacker (one that would register route in IRR, add the right origin-as to AS-SET, and use correct origin). > > ** What I'd like to see discussed: Who (ICANN/RIRs/LIRs) is actively > > working on implementing "chain of trust" of IP space allocations? > > > > * Ways to address the issue without cooperation of 3491: > > ** Filtering anything coming out of 17557 > > Bad idea. Obviously :) > > ** Suggestions given: > > ** What I'd like to see discussed: Can an network operator, *today*, > > filter the "possibly bogus" routes from their peers, without manual > > intervention, and without false positives? > > Sure, if they want to dedicate an engineer to it, automate policy > deployment and deal with brokenness by turning steam valves. I'd hear to see who does it, and get them to present the "operational lessons" at the next nanog! > > * Yelling at people who don't filter > > That's been productive for over a decade now. > > > ** Per above, 3491 isn't the only one who filters. In fact, claims > > were made that *nobody* filters "large enough" downstreams. (beyond > > aspath/maxpref) > > Wrong. Likewise, I'd like to know who does this (names) and how can we get them to present best practices at the next nanog! -alex
|