AS hijacking (Philosophy, rants, GeoMind)

Thu Jun 18 20:51:02 UTC 2020

Mike,

>As our canned Email stated, AS2 (and many low digit AS') get hijacked and
>often go on to hijack someone's prefix.  AS2 (proper) is rarely changed and
>the chances of an actual prefix hijack from it is extremely low.
>
>So as I've asked our peers, I'll ask here: What is expected of us to be good
>"Net Citizens" with these hijacks?

Thoughts on AS hijack prevention:
With RPKI-based route origin validation (ROV), it turns out that incremental solution for prefix hijacking is also an incremental solution for AS hijacking. For example -- assuming Invalid routes will be dropped -- if 70% of the announced prefixes are protected by ROAs, then those 70% prefixes cannot be hijacked with a hijacked AS. (Note: An exception to this is -- a deliberate hijacker can still perform what is called forged-origin hijack [1], i.e., the attacker matches the hijacked prefix with a hijacked AS such that they both belong to the same ROA.)  So, the community should keep pushing ahead with ROA and RPKI-based ROV deployments to achieve 100% ROA coverage for announced prefixes and also 100% dropping of Invalid. 

The above can also be said about “trusted” IRR-based (or IRR+RPKI based) ROV [1]. However, priority should be given to speedup the RPKI/ROA deployment towards full adoption.

FYI... Worldwide ROA coverage is currently at 20% for globally routed prefixes.
https://rpki-monitor.antd.nist.gov/

Security guidance regarding route objects in IRR, ROAs in RPKI, and ROV deployment can be found here:
[1] “Resilient Interdomain Traffic Exchange: BGP Security and DDoS Mitigation,” NIST Special Publication, NIST SP 800-189, December 2019. 
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-189.pdf  
Also, look up:
[2] MANRS: https://www.manrs.org/ 

Thank you.

Regards,
Sriram