Prefix hijacking, how to prevent and fix currently

Saku Ytti saku at ytti.fi
Tue Sep 2 06:36:40 UTC 2014


On (2014-09-01 21:34 +0000), Sriram, Kotikalapudi wrote:

Hi Sriram,

Please help me understand the argument.

> Some Org. D can maliciously announce a subprefix under Org. C's prefix,
> and get away with it due to the 'Loose' mode.

So C is advertising valid 192.0.2.0/24
Is D advertising valid 192.0.2.0/23?

This is unfixable problem? If D is advertising invalid or unknown, C would
still work and win, as longest prefix match is done first to the 'valid'
population, if search is found, other populations are not searched.

> I think, 'Loose mode', if used at all, should not be used beyond a short grace period.

We need to be pragmatic and ready to compromise. Right now deploying RPKI puts
you in competitive disadvantage, loose mode would remove the business risk and
make it easier to justify deployment.

-- 
  ++ytti


More information about the NANOG mailing list