North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: [admin] [summary] RE: YouTube IP Hijacking

  • From: Danny McPherson
  • Date: Mon Feb 25 16:12:58 2008

On Feb 25, 2008, at 1:22 PM, Alex Pilosov wrote:

Well, in this case, they *aren't* filtering! (unless I am misunderstanding
what you are saying, due to repeated use of 'their').

What I'm saying is that best case today ISPs police routes advertised by their customers, yet they accept routes implicitly (including routes from address space that may belong to their customers) from peers. Seems a little hokey, eh?

Oh yeah, d'oh! Thanks for correction. But that is also an important point
against PHAS and IRRPT filtering - they are powerless against truly
malicious hijacker (one that would register route in IRR, add the
right origin-as to AS-SET, and use correct origin).

Yep, pretty much.

Sure, if they want to dedicate an engineer to it, automate policy
deployment and deal with brokenness by turning steam valves.
I'd hear to see who does it, and get them to present the "operational
lessons" at the next nanog!

Maybe Curtis V. would present what ANS was doing in 1994 :-) But now we've even got things like BGP route refresh, incrementally updatable filters, and BGP soft reconfiguration to ease the deployment burden.

There have been two or three panels on this exact topic
in the past, you can find them in the index of talks.
Unfortunately, the problem hasn't changed at all.  Perhaps
we could just replay those video streams :-)