North American Network Operators Group
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: community real-time BGP hijack notification service

  • From: Hank Nussbacher
  • Date: Sun Sep 14 05:22:31 2008
At 03:07 PM 12-09-08 +0100, Andy Davidson wrote:

On 12 Sep 2008, at 13:49, Nathan Ward wrote:

On 12/09/2008, at 10:42 PM, Gadi Evron wrote: 
Hi, WatchMy.Net is a new community service to alert you when your
prefix
has been hijacked, in real-time.

I just had a quick play with this, as I've been considering hacking
together something similar.


Everyone with any interest in this topic should look at the MyASN
service from the RIPE NCC (which I use and think is brilliant).

http://www.ris.ripe.net/myasn.html

"
The MyASN service notifies network operators when a prefix is
announced with an incorrect AS path. An AS path is seen as incorrect
when it does not match with a regular expression. As not everyone is
familiar with regular expressions, MyASN provides several easy ways to
define typical checks, like "the origin of this prefix must be AS x"
or "the origin of this prefix must be AS x and transit may be provided
through y or z". However, as any AS path regular expression can be
set, the MyASN service is suitable for regular expressions gurus as
well.
"

To address Nathan's point, I recommend the RIPE service because for
such a service to be ubiquitously useful, it needs to have many eyes
(a view of routing tables at lots of points on the internet) which is
where the very well peered situation of RIS comes into effect.  At the
last RIPE meeting I think i saw RIS had over 600 peers, which it
collects at internet exchange points all over the world.

I have used IAR, PHAS and MyASN and I can say I would not recommend myASN. It is a cumbersome system and very non-intuitive. It is based on an ASN-centric model, whereby each ASN is in its own realm. So if you manage *one* ASN, perhaps this system might work for you. But if you have about 10 ASNs you want to manage, in one central spot, you are out of luck here. Also, you would expect the system to "auto-learn" what prefixes exist under your ASN and then you would have perhaps check boxes to disable or enable monitoring for specific prefixes. With myASN you have to manually type in each and every prefix you have. The same holds true for the newer http://ripe.net/is/alarms/. They also differentiate between origin and transit ASN. Their summary view doesn't show which prefixes are being monitored. No help or FAQ available yet on the beta alarms system.

PHAS doesn't look at ASNs just prefixes. You have to register each and every prefix via their site at: http://phas.netsec.colostate.edu/subscribe.html
Problem is to remove prefixes you have to totally unsubscribe via:
http://phas.netsec.colostate.edu/unsubscribe.html
You can't manage/unsubscribe individual prefixes. And if you registered years ago before they instituted the ID and key factor for unsubscribing (as I did), you have no way to figure out how to unsubscribe from their email notices. Their notices provide many false alarms based on my observation over the past few years.

The best system so far would be IAR: http://iar.cs.unm.edu/
The email notices are pretty much on time and accurate. Problem is they have changed the system and I believe some forum page/link has gone lost that allows one to manage existing subscriptions as per: http://iar.cs.unm.edu/alerts.php#email

Now for the new boy in town - Watchmy.net. When you register it doesn't say you need at least an 8 char pswd. I did 7. So it wipes out all form data entered (name, phone number, etc.) and makes you start again from scratch. The Web interface seems the most intuitive of all 4 but since I am just starting to use it - I will only discover the warts over the next week.

In general, academic systems like UNM and Colostate are the baby of some post-doc and then disappear after they leave or move on. By nature, CS and EE departments don't like ot care to run production systems. That is why I had high hopes for the RIPE system, which unfortunately, IMHO, is the worst. It is funded via membership dues and one would expect that the authors would poll the RIPE community for what functionality they would need. That has not been done. Even when they get feedback (as far back as 2003) they just ignore it and continue doing the development based on what they *believe* is what we need, rather than *asking* what we need. That is why I am hoping that Watchmy.Net will not only listen to the community needs, but also have a committment for long term maintenance.

Regards,
Hank



best wishes
Andy