From paul at redbarn.org  Tue Nov 19 18:04:40 2013
From: paul at redbarn.org (Paul Vixie)
Date: Tue, 19 Nov 2013 20:04:40 -0300
Subject: [arin-discuss] on the need for secure BGP routing and ARIN RPKI
Message-ID: <528BEE88.8060909@redbarn.org>

greetings, arin members. as i count down my last months as an arin
trustee, i look to the future of our industry. the RIR system (ARIN and
its sisters in other regions) has confronted many challenges during my
nine years on the ARIN board, including for example the seemingly (yet,
not!) intractable problem of how to motivate wide spread IPv6 deployment
before "final IPv4 runout" forces everyone to make hard choices or to
live in triple-NAT ghettos.

yet, one of our most ambitious and worthwhile challenges receives very
little discussion. that is: secure BGP routing, for which the RIR system
has been working for almost a decade on the enabling technology -- RPKI
-- Routing Public Key Infrastructure. briefly, this is a way to bind a
crypto-authentic key to blocks of address space, which will ultimately
make it possible for network operators to sign their routing
announcements and verify the announcements you receive.

today our colleagues at renesys published a report on "man in the middle
internet hijacking":

http://www.renesys.com/2013/11/mitm-internet-hijacking/

the key message of this article is this excerpt:

> ... In practical terms, this means that Man-In-the-Middle BGP route
> hijacking has now moved from a theoretical concern to something that
> happens fairly regularly, and the potential for traffic interception
> is very real. ...

i hope i can persuade all of you to read the renesys article cited
above, and to investigate ARIN's RPKI project, in which the ARIN Board
of Trustees has repeatedly voted to invest the company's technology
resources:

https://www.arin.net/resources/rpki/index.html

i don't mean to say that you should stop worrying about IPv4 runout and
IPv6 deployment, of course! what i do mean to say is, the Internet's
core routing system is not presently a safe neighborhood, and fixing
that is vital, and will require everyone's attention and effort.

thanks for listening.

paul vixie, arin trustee, 2005-2013
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.arin.net/pipermail/arin-discuss/attachments/20131119/cbfc68f7/attachment.html>

From morrowc.lists at gmail.com  Wed Nov 20 13:52:39 2013
From: morrowc.lists at gmail.com (Christopher Morrow)
Date: Wed, 20 Nov 2013 13:52:39 -0500
Subject: [arin-discuss] on the need for secure BGP routing and ARIN RPKI
In-Reply-To: <528BEE88.8060909@redbarn.org>
References: <528BEE88.8060909@redbarn.org>
Message-ID: <CAL9jLaaA+H9a2o95C_YQQ53XUjHEkew8M1XBsJN8D_1HO+94Og@mail.gmail.com>

I don't want to deflate the 'do the rpkis!' balloon, but....

On Tue, Nov 19, 2013 at 6:04 PM, Paul Vixie <paul at redbarn.org> wrote:
> greetings, arin members. as i count down my last months as an arin trustee,
> i look to the future of our industry. the RIR system (ARIN and its sisters
> in other regions) has confronted many challenges during my nine years on the
> ARIN board, including for example the seemingly (yet, not!) intractable
> problem of how to motivate wide spread IPv6 deployment before "final IPv4
> runout" forces everyone to make hard choices or to live in triple-NAT
> ghettos.
>
> yet, one of our most ambitious and worthwhile challenges receives very
> little discussion. that is: secure BGP routing, for which the RIR system has
> been working for almost a decade on the enabling technology -- RPKI --
> Routing Public Key Infrastructure. briefly, this is a way to bind a
> crypto-authentic key to blocks of address space, which will ultimately make
> it possible for network operators to sign their routing announcements and
> verify the announcements you receive.
>
> today our colleagues at renesys published a report on "man in the middle
> internet hijacking":
>
> http://www.renesys.com/2013/11/mitm-internet-hijacking/
>
> the key message of this article is this excerpt:
>
> ... In practical terms, this means that Man-In-the-Middle BGP route
> hijacking has now moved from a theoretical concern to something that happens
> fairly regularly, and the potential for traffic interception is very real.
> ...
>

it's not clear at all that this was MITM intentionally.
In fact it sort of looks like (more) operational mistakitude ;( AND
providers NOT route-flitering customers.

A good drum to beat for all customers of ISPs is, I think: "Hey, do
you prefix filter every single downstream customer? If not, why not?"

>
> i hope i can persuade all of you to read the renesys article cited above,
> and to investigate ARIN's RPKI project, in which the ARIN Board of Trustees
> has repeatedly voted to invest the company's technology resources:
>
> https://www.arin.net/resources/rpki/index.html
>

Ideally this helps, once more adoption happens, ISPs to check content
of their favorite IRR and construct better route filters for their
customer bgp sessions. (minus, of course the 'have to click through
webpages to accept the TAL cert... grumble, dead horse beatings,
grumble)

thnx paul!
-chris


From scottleibrand at gmail.com  Wed Nov 20 17:35:11 2013
From: scottleibrand at gmail.com (Scott Leibrand)
Date: Wed, 20 Nov 2013 15:35:11 -0700
Subject: [arin-discuss] on the need for secure BGP routing and ARIN RPKI
In-Reply-To: <CAL9jLaaA+H9a2o95C_YQQ53XUjHEkew8M1XBsJN8D_1HO+94Og@mail.gmail.com>
References: <528BEE88.8060909@redbarn.org>
	<CAL9jLaaA+H9a2o95C_YQQ53XUjHEkew8M1XBsJN8D_1HO+94Og@mail.gmail.com>
Message-ID: <CAGkMwz45kdjQ=F4a4k58BO+JEeyjyOJehNG2buRzDroQXMpRUw@mail.gmail.com>

And if you're not prefix filtering every single downstream customer for
some semi-valid reason, you should *at least* be as-path filtering them.
 Tier 1 (transit-free) ASNs should never appear in your customers'
announcements, and if they do, they indicate a route leak of some sort.

-Scott


On Wed, Nov 20, 2013 at 11:52 AM, Christopher Morrow <
morrowc.lists at gmail.com> wrote:

> I don't want to deflate the 'do the rpkis!' balloon, but....
>
> On Tue, Nov 19, 2013 at 6:04 PM, Paul Vixie <paul at redbarn.org> wrote:
> > greetings, arin members. as i count down my last months as an arin
> trustee,
> > i look to the future of our industry. the RIR system (ARIN and its
> sisters
> > in other regions) has confronted many challenges during my nine years on
> the
> > ARIN board, including for example the seemingly (yet, not!) intractable
> > problem of how to motivate wide spread IPv6 deployment before "final IPv4
> > runout" forces everyone to make hard choices or to live in triple-NAT
> > ghettos.
> >
> > yet, one of our most ambitious and worthwhile challenges receives very
> > little discussion. that is: secure BGP routing, for which the RIR system
> has
> > been working for almost a decade on the enabling technology -- RPKI --
> > Routing Public Key Infrastructure. briefly, this is a way to bind a
> > crypto-authentic key to blocks of address space, which will ultimately
> make
> > it possible for network operators to sign their routing announcements and
> > verify the announcements you receive.
> >
> > today our colleagues at renesys published a report on "man in the middle
> > internet hijacking":
> >
> > http://www.renesys.com/2013/11/mitm-internet-hijacking/
> >
> > the key message of this article is this excerpt:
> >
> > ... In practical terms, this means that Man-In-the-Middle BGP route
> > hijacking has now moved from a theoretical concern to something that
> happens
> > fairly regularly, and the potential for traffic interception is very
> real.
> > ...
> >
>
> it's not clear at all that this was MITM intentionally.
> In fact it sort of looks like (more) operational mistakitude ;( AND
> providers NOT route-flitering customers.
>
> A good drum to beat for all customers of ISPs is, I think: "Hey, do
> you prefix filter every single downstream customer? If not, why not?"
>
> >
> > i hope i can persuade all of you to read the renesys article cited above,
> > and to investigate ARIN's RPKI project, in which the ARIN Board of
> Trustees
> > has repeatedly voted to invest the company's technology resources:
> >
> > https://www.arin.net/resources/rpki/index.html
> >
>
> Ideally this helps, once more adoption happens, ISPs to check content
> of their favorite IRR and construct better route filters for their
> customer bgp sessions. (minus, of course the 'have to click through
> webpages to accept the TAL cert... grumble, dead horse beatings,
> grumble)
>
> thnx paul!
> -chris
> _______________________________________________
> ARIN-Discuss
> You are receiving this message because you are subscribed to
> the ARIN Discussion Mailing List (ARIN-discuss at arin.net).
> Unsubscribe or manage your mailing list subscription at:
> http://lists.arin.net/mailman/listinfo/arin-discuss
> Please contact info at arin.net if you experience any issues.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.arin.net/pipermail/arin-discuss/attachments/20131120/ab6aeae9/attachment.html>