Hijacked Network Ranges

Mark Tinka mtinka at globaltransit.net
Mon Feb 6 06:35:35 UTC 2012

On Monday, February 06, 2012 01:14:20 PM Christopher Morrow 

>   o not having filters at all (pccw/pktel)

Well, we know what this leads to (part of the reasons you 
find some eBGP sessions carrying /25's or longer + RFC 1918 
space is because of this).

>   o filtering using old/stale data (ntt/l3)

Well, we think that this problem resolves itself rather 

	o If a customer is not getting traffic hitting a
 	  prefix, they'll check with their upstream on if
	  their prefix is being received and propagated.

	o If a customer is not seeing their prefix on the
	  Internet, they'll check with their upstream on if
	  their prefix is being received and propagated.

	o If a customer starts announcing a new prefix
	  without updating their upstream, one e-mail or
	  phone call to the upstream will get this fixed.

In all cases above, it's better not to have an unauthorized 
prefix in the yonder than have open filters, because one is 
more likely to quickly get resolved without any colleteral 
than the other.

> why aren't filters applied at all? ("its hard, people
> keep asking me to update them, bah! work!")

Well, so was running the Internet without BGP communities or 
prefix lists or AS_PATH filters, until they appeared. And 
while some folk still use so-called "distribute lists" 
today, it's fine with me as long as they maintain secure 
operations with whatever solution they choose, hard or easy.

Some ISP's have automated this process either by using 
internal IRR software, or scripting web GUI's that their NOC 
can use to simply stick in the prefix, select which router 
to update, and bam!

Compared to the alternative, this is a small price to pay.

> why aren't filter data bases kept up to date? ("its hard,
> i have to email something to radb/altdb/etc... bah,
> work!")...

That's why we use the RIPE RR. They have a cool web GUI that 
you can use to edit on object, including IRR data (and 
they're respected by all other major RR's and operators):


It certainly beats the old "MAIL FROM" system, although I 
believe that is still operational.

> why aren't checks of the filter data simple and
> mechanical? (and accurate?) ("Bah! work! plus, have you
> looked at the ouptput? bah! work!")

See above.

We manually check the RIR WHOIS database. I'm sure some 
networks might automate this with an internal system that 
checks the RIR WHOIS database, and probably integrates with 
their provisioning system that can automatically create and 
update filters on routers. I don't know...

But it's certainly better than the alternative.

> resource certification would at least get us to the point
> where checking the data in the IRR is 'easy', it's not
> going to get people to PUT FILTERS ON CUSTOMER SESSIONS,
> and it's not going to get people to update their IRR
> objects (add AND DELETE!!!)

I support RPKI, but also realize that operator support will 
take a very long time for various reasons, e.g., education, 
delayed software upgrades, persistence with older methods, 
fear of centralization, e.t.c.

In such a case, operators will need to support "Invalid" and 
"NotFound" states of origin information for a long time. As 
adoption and deployment increases, operators can begin 
dropping "Invalid" results, "NotFound" results, or both. Or 
even mark them down with poor LOCAL_PREF values so as not to 
use those routes for forwarding unless it is really 

At some point, when diffusion of RPKI is sufficiently 
prolific, anything that does not return a "Valid" result 
will be dropped. This should force every operator around the 
world to support it, much like the large carriers forced us 
all to use IRR's just so they won't ignore our routes, 
wherever we are in the world.

But before all this happens, we have to prevent more 
hijacks. And we have to use the tools we have today.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part.
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20120206/ea1bda25/attachment.sig>

More information about the NANOG mailing list