"Tactical" /24 announcements

Mon Aug 9 19:55:08 UTC 2021

Bill said,

> > Is this seen as route table pollution, or a necessary evil in today's
> world?
>
> Pollution. And it won't save you from a hijack either, since your
> adversary's /24 routes will compete and win for at least part of the
> Internet.
>

I agree, of course, that moving to announce every /24 would pollute the
net. Note that if you use ROAs, you'll also have to make corresponding /24
ROAs, and I don't know if this won't have problematic impact also on the
RPKI infrastructure. Not good.

But:
- assuming the /24 will have proper ROA, and ROV is reasonably deployed,
this _would_ protect most of the traffic sent to the /24 from a hijacker
announcing /24 (and even more if hijack is of shorter prefix, of course).
- As long as ROV isn't _very_ widely deployed, it would often fail to
protect against the hijack without such measure (competing /24), so this
will remain necessary (if you wish to prevent hijack).

We've done some relevant simulations, as well as proposed a simple
extension to ROV, called ROV++, which protects against such sub-prefix
hijacks without requiring competing /24 announcement, and effective already
with modest adoption (of ROV++) by BGP routers. (Should also be assisted by
mixed ROV / ROV++ adoption but we didn't do these simulations yet.)

See at:
https://www.ndss-symposium.org/ndss-paper/rov-improved-deployable-defense-against-bgp-hijacking/

tl; dr : ROV++ routers would blackhole subprefix traffic rather than send
it on a route which would be hijacked (i.e., if the route is to a neighbor
AS that announced legit prefix _and_ hijacked subprefix). Simple.

[and no, I'm not happy with the resulting disconnections. but it's better
than hijack imho]

best, Amir
-- 
Amir Herzberg

Comcast professor of Security Innovations, Computer Science and
Engineering, University of Connecticut
Homepage: https://sites.google.com/site/amirherzberg/home
`Applied Introduction to Cryptography' textbook and lectures:
 https://sites.google.com/site/amirherzberg/applied-crypto-textbook
<https://sites.google.com/site/amirherzberg/applied-crypto-textbook>

On Mon, Aug 9, 2021 at 12:10 PM William Herrin <bill at herrin.us> wrote:

> On Mon, Aug 9, 2021 at 8:48 AM Billy Croan <BCroan at unrealservers.net>
> wrote:
> > How does the community feel about using /24 originations in BGP as a
> > tactical advantage against potential bgp hijackers?
> > How many routers out there today would be affected if everyone did this?
>
> Hi Billy,
>
> I did some math on this years ago and it worked out to about 8.5
> million IPv4 routes. That's 10 times the current table size, more than
> any big-iron router can handle today. If everybody did it, it'd crash
> the Internet.
>
> > Is this seen as route table pollution, or a necessary evil in today's
> world?
>
> Pollution. And it won't save you from a hijack either, since your
> adversary's /24 routes will compete and win for at least part of the
> Internet.
>
> > Are there any big networks that drop or penalize announcements like this?
>
> Not in an automated way. Which is bad news for you if you do this
> because it means getting folks to -undo- the restrictions they
> manually enforce on your specific address space is nearly impossible.
>
> Regards,
> Bill Herrin
>
> --
> William Herrin
> bill at herrin.us
> https://bill.herrin.us/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20210809/b6bf8b0c/attachment.html>