BGP route hijack by AS10990
Mark Tinka
mark.tinka at seacom.com
Sat Aug 1 20:38:57 UTC 2020
On 1/Aug/20 21:03, Sabri Berisha wrote:
> The same can be said here. Noction and/or its operators appear to not understand
> how BGP works, and/or what safety measures must be deployed to ensure that the
> larger internet will not be hurt by misconfiguration.
I think the latter would be more appropriate. Their implementation of
BGP is likely correct, but they aren't putting any emphasis on what the
deployment of their use-case can do to global BGP security and
performance. This where I'd say they can add more focus.
> I also agree with Job, that Noction has some responsibility here. And as I
> understand more and more about it, I must now agree with Mark T that this
> was an avoidable incident (although not because of Telia, but because Noction's
> decision to not enable NO_EXPORT by default).
I see it differently.
The chain is only as strong as its weakest actor. It is not unreasonable
to expect that global actors of significant scale have enough clue to
make sure any mistakes committed downstream are not propagated by them
to the rest of the Internet.
So while I do not absolve Noction (and their customer) of any
responsibility here, I'd apportion the blame as:
- Telia 51%
- Noction 30%
- Noction's customer 19%
When the weaker chains of the link fail, we should be able to count on
the strongest chain in that link to be the last line of defence...
Telia, in this case. Simply for no other reason than they "know best",
and have such global scope which comes with significant responsibility.
But that isn't to say that neither Noction nor their customer cannot do
better either. After all, BGP security and performance only works well
when we all do our part, and not just some of us.
Mark.
More information about the NANOG
mailing list