Prefix hijacking by Michael Lindsay via Internap

Martin Millnert millnert at
Fri Sep 2 19:16:56 UTC 2011

On Wed, Aug 31, 2011 at 12:56 PM, Denis Spirin <noc at> wrote:
> So, noone is protected from IP network stealing. And noone cares. If
> Internap or it's uplinks was more clever and more insistent - we really had
> a chance to lost our networks forever.

Denis, I think you handled it pretty well from your end.

> I definitely sure we need to found and implement some practice for prevent IP
> hijacking. I dug a lot of things about secure routing, PKI signing and so on -
> there are no working solutions now, as well as will not be in near future.

As has been referred in this thread a few times already, there's been
a long recent discussion on BGPSEC+RPKI in RIPE's address-policy
working group.

Because big red "remove-it" buttons inevitably leads to things like
"Recently the regulator made it impossible for Pakistanis to access
the website of Rolling Stone magazine, after it published an article
on the high proportion of the national budget in Pakistan that goes on
its military."

> But it is possible to negotiate and arrange the formal (administrative) best
> practice for resolving and preventing such issues. Is there any ideas?

I offer: Keep records, talk to people, keep domain names. Network with
people, use GPG (perhaps even put fingerprint on business card?), and
so on.

With the latest incarnation of utter failure of the CA trust
model/design for websites, there seems to be renewed energy into
providing alternative ways to model (distributed) trust.  It looks
like to me that we're moving towards a multi-source based trust system
more and more ( , ). I guess something similar will happen with
BGP data (it's suggested to be one of several metrics in convergence),
or they may just end up being pretty much the same system.  *This* is
the general path forward for a robust future Internet...

Best regards,

More information about the NANOG mailing list