Prefix hijacking, how to prevent and fix currently

George, Wes wesley.george at twcable.com
Fri Aug 29 12:13:45 UTC 2014


On 8/28/14, 11:28 PM, "Mark Andrews" <marka at isc.org> wrote:

>       The long term solution is to deploy RPKI and only use
>       transits which use RPKI. No RPKI support => no business.
>       Additionally make RPKI a peering requirement.

WG] So should we ask for that before, or after we get everyone to roll out
IPv6 everywhere by voting with our wallets?

*ducks*

On 8/28/14, 11:24 PM, "Fred Baker (fred)" <fred at cisco.com> wrote:

>Are providers that neighbor with them implementing RPKI?
>If not, complain to the folks not indicating RPKI and therefore accepting
>a hijacked prefix.

WG]

%s/RPKI/inbound route filtering on downstream customers/g

There, FTFY

Tarun, other than directly contacting the originator, I recommend that you
complain to their upstream provider(s) (the neighboring ASN(s) in the
AS-Path) that they are accepting routes from their customer that they
shouldn't be, include proof that you own the block they are announcing,
and ask them to apply a prefix filter. Yes, this presupposes that you can
find valid contact info in whois or peeringdb, but it's the best we've got
right now.

RPKI isn't likely to fix this anytime soon, because it's mostly not
deployed where it needs to be to affect this problem. And just like
inbound route filtering and lots of other protective security measures,
[1, 2] and eating your vegetables, and getting more exercise, most folks
agree that it would help, but it's only useful with wide deployment, which
mostly needs to happen on "everyone else's network", and those things all
have an additional cost (time, money, or both) to deploy and maintain. The
unfortunate thing is that RPKI arguably takes more work than the others,
with a much longer time-horizon to see benefit during the incremental
deployment period.

Wes George

[1] https://www.routingmanifesto.org/manifesto/
[2] http://tools.ietf.org/html/draft-ietf-opsec-bgp-security

Anything below this line has been added by my company’s mail server, I
have no control over it.
-----------


This E-mail and any of its attachments may contain Time Warner Cable proprietary information, which is privileged, confidential, or subject to copyright belonging to Time Warner Cable. This E-mail is intended solely for the use of the individual or entity to which it is addressed. If you are not the intended recipient of this E-mail, you are hereby notified that any dissemination, distribution, copying, or action taken in relation to the contents of and attachments to this E-mail is strictly prohibited and may be unlawful. If you have received this E-mail in error, please notify the sender immediately and permanently delete the original and any copy of this E-mail and any printout.


More information about the NANOG mailing list