[arin-ppml] Draft Policy ARIN-2014-12: Anti-hijack Policy

George Herbert george.herbert at gmail.com
Fri Mar 28 22:15:35 EDT 2014 

Having had time now to catch up on the background by watching the recording
of the presentation and Heather's detailed objections -

I support the policy change as written.

Further, I believe it was somewhat irresponsible for ARIN and the other
RIRs to have issued these LOAs without having consulted the community
beforehand, and would like to hear why and under what detailed
justification it was done.  That it was technically in compliance with 11.7
as it stands today seems operationally unwise.

I would have liked to have had ARIN et al push back and do a pre-issuing
public commentary period.  Further, I am concerned that Merit's upstreams
accepted the LOAs without asking about a public commentary.

Frankly, given the prosecutions of individuals for various IP attacks in V4
space, did you even get attorneys to check as to whether this might
approach criminal behavior, much less operationally unwise?  Merit and even
ARIN seem to have been potentially exposed to both civil and criminal
liability over this.

There seems to have been an undercurrent of "But Geoff's been doing this
with APNIC forever..." justifying it being reasonable to do to the rest of
us.  What was acceptable there is not by extension acceptable everywhere,
though it does suggest that further research over there was probably more
acceptable than the equivalents in ARIN and other space.




On Fri, Mar 28, 2014 at 6:09 PM, George Herbert <george.herbert at gmail.com>wrote:

> However, reading the paper, the "AR" (allocated+routed) traffic they
> received, 35% or so, covered traffic which theoretically should have been
> routed more specifically but their covering prefix effectively captured
> instead.
>
> I.e., oops.
>
> One can presume that this traffic that showed at least mid-stream sessions
> (and not SYNs) was for prefixes where "upstreams" had a more-specific route
> that hadn't propagated down to Merit's direct upstreams, for some reason.
>  88% of the total traffic (if I read it right) was SYN (12%) or SYNACK
> (76%) in the 3-month dataset, mostly on ports 80 and 443.  I.e., valid
> destination webserver trying to establish the handshake unable to find a
> route back to a (theoretically properly allocated and routed) source.
>
> At the very least this raises a question as to whether it's wise to allow
> such experiments, where a significant amount of apparently valid traffic
> (allocated, and for which routing info was identified in further research)
> gets effectively MITMed as it flows.
>
> That may not have been the intention; the theory that "oh, more specific
> will just override our research announcement" is colorable.  But the actual
> data shows the assumptions fails; they did intercept a lot of legit (or
> apparently legit) traffic.  Hence, oops, and perhaps we should not let this
> happen again.
>
>
>
> On Fri, Mar 28, 2014 at 10:05 AM, David Farmer <farmer at umn.edu> wrote:
>
>> On 3/28/14, 11:57 , Bill Buhler wrote:
>>
>>> So if my understanding is correct, they basically performed a routing
>>> man in the middle attack on live IPv6 prefixes. Pardon my understanding
>>> level, but how did they keep from creating routing loops and service
>>> interruptions. I'm also a little concerned about performance and link
>>> loads. Are my concerns legitimate and inline?
>>>
>>> Thanks,
>>>
>>> --Bill
>>>
>>
>> This absolutely WAS NOT an attack.  They announced a covering prefix,
>> only traffic with no more specific route would follow this route.  Think
>> more specific default route.
>>
>>
>>
>> --
>> ================================================
>> David Farmer               Email: farmer at umn.edu
>> Office of Information Technology
>> University of Minnesota
>> 2218 University Ave SE     Phone: 1-612-626-0815
>> Minneapolis, MN 55414-3029  Cell: 1-612-812-9952
>> ================================================
>> _______________________________________________
>> PPML
>> You are receiving this message because you are subscribed to
>> the ARIN Public Policy Mailing List (ARIN-PPML at arin.net).
>> Unsubscribe or manage your mailing list subscription at:
>> http://lists.arin.net/mailman/listinfo/arin-ppml
>> Please contact info at arin.net if you experience any issues.
>>
>
>
>
> --
> -george william herbert
> george.herbert at gmail.com
>



-- 
-george william herbert
george.herbert at gmail.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.arin.net/pipermail/arin-ppml/attachments/20140328/43c7cefd/attachment.htm>

More information about the ARIN-PPML mailing list