Why not to use RPKI (Was Re: Argus: a hijacking alarm system)

• Previous message (by thread): Why not to use RPKI (Was Re: Argus: a hijacking alarm system)
• Next message (by thread): Why not to use RPKI (Was Re: Argus: a hijacking alarm system)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi chris,

2012/1/23 Christopher Morrow <morrowc.lists at gmail.com>

> On Fri, Jan 20, 2012 at 8:08 AM, Yang Xiang
> <xiangy08 at csnet1.cs.tsinghua.edu.cn> wrote:
> > 2012/1/20 Arturo Servin <aservin at lacnic.net>
>
> >> > while Argus can discover potential hijackings caused by anomalous AS
> >> path.
>
> reading the preceding section (III.B) you check 3 things in the AMM
> (anomaly monitoring module)
>  1) proper origin (based on what?)
>  2) anomalous neighbour (based on what?)
>  3) policy anomaly (where did you determine the policy?)
>
> later text seems to imply you track some history (1 months worth) and
> use that as a baseline, for at least the neighbour and origin data.
> The policy data isn't clearly outlined though, where did that come
> from? (there's a note about use of whois, which could cover some of
> this, but certainly not all)
>
yes, we use history as a baseline for both the origin, neighbor and policy
data.
origin data: a history of <prefix, origin_AS> mappings,
neighbor data: a history of every "adjacent two ASes" in all AS paths
received from BGPmon,
policy data: a history of every "adjacent three ASes" (AS triple) in all AS
paths.

origin and neighbor data is intuitive.
for policy data, we do not gather the exact routing policies,
since they are usually private.
In Argus, we use all "adjacent three ASes" in all AS paths as the policy
data.
this is because:
1), AS triples reflect the import/export routing policies;
2), while monitoring BGP updates, we only need to discover 'possible’
hijackings, but not 'exact' hijackings.
  after figure out a possible hijacking, the hijacking identification
process will be launched and make the final judgement.



>
> The data plane testing you propose is from the public route-servers
> (eyes), which don't import the path you want, well routeviews I think
> doesn't import routes to it's FIB (or maybe I'm mistaken...) but point
> being with more than one peer on the routeserver it's not clear you
> would be taking the path you actually want to test anyway, is it?
>
yes, each route-server usually has several route to the target prefix.
In Argus, we use the commands (i.e., "show route exact active-path”) to get
the 'best routes' of the prefix,
and consider it as the route in FIB:


>
> -chris
>
>


-- 
_________________________________________
Yang Xiang. Ph.D candidate. Tsinghua University
Argus: argus.csnet1.cs.tsinghua.edu.cn

• Previous message (by thread): Why not to use RPKI (Was Re: Argus: a hijacking alarm system)
• Next message (by thread): Why not to use RPKI (Was Re: Argus: a hijacking alarm system)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]