AS hijacking (Philosophy, rants, GeoMind)
Sriram, Kotikalapudi (Fed)
kotikalapudi.sriram at nist.gov
Thu Jun 18 20:51:02 UTC 2020
>As our canned Email stated, AS2 (and many low digit AS') get hijacked and
>often go on to hijack someone's prefix. AS2 (proper) is rarely changed and
>the chances of an actual prefix hijack from it is extremely low.
>So as I've asked our peers, I'll ask here: What is expected of us to be good
>"Net Citizens" with these hijacks?
Thoughts on AS hijack prevention:
With RPKI-based route origin validation (ROV), it turns out that incremental solution for prefix hijacking is also an incremental solution for AS hijacking. For example -- assuming Invalid routes will be dropped -- if 70% of the announced prefixes are protected by ROAs, then those 70% prefixes cannot be hijacked with a hijacked AS. (Note: An exception to this is -- a deliberate hijacker can still perform what is called forged-origin hijack , i.e., the attacker matches the hijacked prefix with a hijacked AS such that they both belong to the same ROA.) So, the community should keep pushing ahead with ROA and RPKI-based ROV deployments to achieve 100% ROA coverage for announced prefixes and also 100% dropping of Invalid.
The above can also be said about “trusted” IRR-based (or IRR+RPKI based) ROV . However, priority should be given to speedup the RPKI/ROA deployment towards full adoption.
FYI... Worldwide ROA coverage is currently at 20% for globally routed prefixes.
Security guidance regarding route objects in IRR, ROAs in RPKI, and ROV deployment can be found here:
 “Resilient Interdomain Traffic Exchange: BGP Security and DDoS Mitigation,” NIST Special Publication, NIST SP 800-189, December 2019.
Also, look up:
 MANRS: https://www.manrs.org/
More information about the NANOG