Issue with Noction IRP default setting (Was: BGP route hijack by AS10990)

Mike Hammett nanog at ics-il.net
Sat Aug 1 23:43:26 UTC 2020


Was Tulix using Noction, or was it something else that caused their particular issue? 




----- 
Mike Hammett 
Intelligent Computing Solutions 
http://www.ics-il.com 

Midwest-IX 
http://www.midwest-ix.com 

----- Original Message -----

From: "Job Snijders" <job at instituut.net> 
To: nanog at nanog.org 
Sent: Saturday, August 1, 2020 11:58:12 AM 
Subject: Issue with Noction IRP default setting (Was: BGP route hijack by AS10990) 

On Sat, Aug 01, 2020 at 06:50:55AM -0700, Ca By wrote: 
> I am not normally supporting a heavy hand in regulation, but i think it is 
> fair to say Noction and similar BGP optimizers are unsafe at any speed and 
> the FTC or similar should ban them in the USA. They harm consumers and are 
> a risk to national security / critical infrastructure 
> 
> Noction and similar could have set basic defaults (no-export, only create 
> /25 bogus routes to limit scope), but they have been clear that their greed 
> to suck up traffic does not benefit from these defaults and they wont do 
> it. 

Following a large scale BGP incident in March 2015, noction made it 
possible to optionally set the well-known NO_EXPORT community on route 
advertisements originated by IRP instances. 

"In order to further reduce the likelihood of these problems 
occurring in the future, we will be adding a feature within Noction 
IRP to give an option to tag all the more specific prefixes that it 
generates with the BGP NO_EXPORT community. This will not be enabled 
by default [snip]" 
https://www.noction.com/blog/route-optimizers 
Mar 27, 2015 

Due to NO_EXPORT not being set in the default configuration, there are 
probably if not certainly many unsuspecting network engineers who end up 
deploying this software - without ever even considering - to change that 
one setting in the configuration. 

Fast forward a few years and a few incidents, on the topic of default 
settings, following the Cloudflare/DQE/Verizon incident: 

"We do have no export community support and have done for many 
years. The use of more specifics is also optional. Neither replaces 
the need for filters." 
https://twitter.com/noction/status/1143177562191011840 
Jun 24, 2019 

Community members responded: 

"Noction have been facilitating Internet outages for years and 
years and the best thing they can say in response is that it is 
technically possible to use their product responsibly, they just 
don't ship it that way." 
https://twitter.com/PowerDNS_Bert/status/1143252745257979905 
June 24, 2019 

Last year Noction stated: 

"Nobody found this leak pleasant." 
https://www.noction.com/news/incident-response 
June 26, 2019 

Sentiment we all can agree with, change is needed! 

As far as I know, Noction IRP is the ONLY commercially available 
off-the-shelf BGP route manipulation software which - as default - does 
NOT set the BGP well-known NO_EXPORT community on the product's route 
advertisements. This is a product design decision which causes 
collateral damage. 

I would like to urge Noction to reconsider their position. Seek to 
migrate the existing users to use NO_EXPORT, and release a new version 
of the IRP software which sets NO_EXPORT BY DEFAULT on all generated 
routes. 

Kind regards, 

Job 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20200801/f29668b4/attachment.html>


More information about the NANOG mailing list