Home page logo
/

nanog logo nanog mailing list archives

Re: Hijacked Network Ranges
From: Christopher Morrow <morrowc.lists () gmail com>
Date: Mon, 6 Feb 2012 02:06:24 -0500

On Mon, Feb 6, 2012 at 1:35 AM, Mark Tinka <mtinka () globaltransit net> wrote:
On Monday, February 06, 2012 01:14:20 PM Christopher Morrow

We manually check the RIR WHOIS database. I'm sure some

do you have customers with 10k long prefix lists? it gets hard when
the lists get long, or the data is for downstream folks of your
customer. Good that someone's checking though, I'd love to see this
part automated.

resource certification would at least get us to the point
where checking the data in the IRR is 'easy', it's not
going to get people to PUT FILTERS ON CUSTOMER SESSIONS,
and it's not going to get people to update their IRR
objects (add AND DELETE!!!)

I support RPKI, but also realize that operator support will
take a very long time for various reasons, e.g., education,
delayed software upgrades, persistence with older methods,
fear of centralization, e.t.c.

In such a case, operators will need to support "Invalid" and
"NotFound" states of origin information for a long time. As

RPKI doesn't necessarily mean that the router knows anything about
certificates in the short-term. I think there's a time when 'the
resource certification system' (which is really, today, the rpki)
holds cert/roa data that you could use to filter what the IRR tells
you for a customer. You could even do this in any automated manner!

adoption and deployment increases, operators can begin
dropping "Invalid" results, "NotFound" results, or both. Or
even mark them down with poor LOCAL_PREF values so as not to
use those routes for forwarding unless it is really
necessary.

The time between the previous and next paragraphs though is when all
isp's will need to beat the drums with their customers saying: "Hey,
you REALLY need to get that shit into the 'resource certification
system' (rpki), NOW." (because shortly we'll stop accepting your
"invalid" routes... and then the interwebs won't be able to find you,
and we'll all be sad.)

At some point, when diffusion of RPKI is sufficiently
prolific, anything that does not return a "Valid" result
will be dropped. This should force every operator around the
world to support it, much like the large carriers forced us
all to use IRR's just so they won't ignore our routes,
wherever we are in the world.

But before all this happens, we have to prevent more
hijacks. And we have to use the tools we have today.

sure... it's not working so well though :(


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault