Hijacked Network Ranges

Christopher Morrow morrowc.lists at gmail.com
Mon Feb 6 07:06:24 UTC 2012

On Mon, Feb 6, 2012 at 1:35 AM, Mark Tinka <mtinka at globaltransit.net> wrote:
> On Monday, February 06, 2012 01:14:20 PM Christopher Morrow

> We manually check the RIR WHOIS database. I'm sure some

do you have customers with 10k long prefix lists? it gets hard when
the lists get long, or the data is for downstream folks of your
customer. Good that someone's checking though, I'd love to see this
part automated.

>> resource certification would at least get us to the point
>> where checking the data in the IRR is 'easy', it's not
>> going to get people to PUT FILTERS ON CUSTOMER SESSIONS,
>> and it's not going to get people to update their IRR
>> objects (add AND DELETE!!!)
> I support RPKI, but also realize that operator support will
> take a very long time for various reasons, e.g., education,
> delayed software upgrades, persistence with older methods,
> fear of centralization, e.t.c.
> In such a case, operators will need to support "Invalid" and
> "NotFound" states of origin information for a long time. As

RPKI doesn't necessarily mean that the router knows anything about
certificates in the short-term. I think there's a time when 'the
resource certification system' (which is really, today, the rpki)
holds cert/roa data that you could use to filter what the IRR tells
you for a customer. You could even do this in any automated manner!

> adoption and deployment increases, operators can begin
> dropping "Invalid" results, "NotFound" results, or both. Or
> even mark them down with poor LOCAL_PREF values so as not to
> use those routes for forwarding unless it is really
> necessary.

The time between the previous and next paragraphs though is when all
isp's will need to beat the drums with their customers saying: "Hey,
you REALLY need to get that shit into the 'resource certification
system' (rpki), NOW." (because shortly we'll stop accepting your
"invalid" routes... and then the interwebs won't be able to find you,
and we'll all be sad.)

> At some point, when diffusion of RPKI is sufficiently
> prolific, anything that does not return a "Valid" result
> will be dropped. This should force every operator around the
> world to support it, much like the large carriers forced us
> all to use IRR's just so they won't ignore our routes,
> wherever we are in the world.
> But before all this happens, we have to prevent more
> hijacks. And we have to use the tools we have today.

sure... it's not working so well though :(

More information about the NANOG mailing list