questions regarding prefix hijacking

Martin T m4rtntns at gmail.com
Thu Aug 8 14:48:31 UTC 2013


Saku,


> In most cases upstream does not do any automatic prefix filter generation, it's maybe somewhat popular in mid-sized european shops but generally not too common.

What do you mean? In most cases upstreams do not filter prefixes at all?


> There is active on-going work to secure BGP and you may want to read up on 'RPKI' which is further along that track.

Thanks for mentioning this! Very interesting effort. I validated some
routes in LIR portal, verified that those are validated using RIPE
rpki-validator tool and a Juniper router connected to validator:

rpki at lr1.ham1.de> show validation session detail
Session 195.13.63.18, State: up, Session index: 2
  Group: eurotransit-testbed, Preference: 100
  Local IPv4 address: 193.34.50.25, Port: 8282
  Refresh time: 120s
  Hold time: 180s
  Record Life time: 3600s
  Serial (Full Update): 559
  Serial (Incremental Update): 559
    Session flaps: 0
    Session uptime: 00:11:35
    Last PDU received: 00:00:27
    IPv4 prefix count: 4921
    IPv6 prefix count: 833

rpki at lr1.ham1.de> show route protocol bgp 5.11.81.0

inet.0: 456407 destinations, 456408 routes (456407 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

5.11.81.0/24       *[BGP/170] 00:11:59, localpref 110, from 79.141.168.1
                      AS path: 33926 25577 43532 I, validation-state: valid
                    > to 193.34.50.1 via em0.0

RPKI-valid.inet.0: 11440 destinations, 11440 routes (11440 active, 0
holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

5.11.81.0/24       *[BGP/170] 00:11:11, localpref 110, from 79.141.168.1
                      AS path: 33926 25577 43532 I, validation-state: valid
                    > to 193.34.50.1 via em0.0

rpki at lr1.ham1.de>



Massimiliano, Paul, Indra:

thanks for pointing out those interesting cases!



regards,
Martin

2013/8/8, Carlos Martinez-Cagnazzo <carlosm3011 at gmail.com>:
> They do happen, but they get little publicity. People that I've talked to
> about this say, for reasons mostly unspecified, they'd rather not talk
> about it.
>
>
> On Wed, Aug 7, 2013 at 6:06 PM, Christopher Morrow
> <morrowc.lists at gmail.com>wrote:
>
>> On Wed, Aug 7, 2013 at 4:59 PM, Marsh Ray <maray at microsoft.com> wrote:
>> >
>> > It would be incredibly useful for someone to start a page or a category
>> on Wikipedia "List of Internet Routing and DNS Incidents" that would
>> include both "accidental" and malicious events.
>> >
>>
>> do we really need that? they seem to occur often enough that that
>> isn't really required :(
>>
>>
>
>
> --
> --
> =========================
> Carlos M. Martinez-Cagnazzo
> h <http://cagnazzo.name>ttp://cagnazzo.me
> =========================
>



More information about the NANOG mailing list