[arin-discuss] on the need for secure BGP routing and ARIN RPKI

Scott Leibrand scottleibrand at gmail.com
Wed Nov 20 17:35:11 EST 2013


And if you're not prefix filtering every single downstream customer for
some semi-valid reason, you should *at least* be as-path filtering them.
 Tier 1 (transit-free) ASNs should never appear in your customers'
announcements, and if they do, they indicate a route leak of some sort.

-Scott


On Wed, Nov 20, 2013 at 11:52 AM, Christopher Morrow <
morrowc.lists at gmail.com> wrote:

> I don't want to deflate the 'do the rpkis!' balloon, but....
>
> On Tue, Nov 19, 2013 at 6:04 PM, Paul Vixie <paul at redbarn.org> wrote:
> > greetings, arin members. as i count down my last months as an arin
> trustee,
> > i look to the future of our industry. the RIR system (ARIN and its
> sisters
> > in other regions) has confronted many challenges during my nine years on
> the
> > ARIN board, including for example the seemingly (yet, not!) intractable
> > problem of how to motivate wide spread IPv6 deployment before "final IPv4
> > runout" forces everyone to make hard choices or to live in triple-NAT
> > ghettos.
> >
> > yet, one of our most ambitious and worthwhile challenges receives very
> > little discussion. that is: secure BGP routing, for which the RIR system
> has
> > been working for almost a decade on the enabling technology -- RPKI --
> > Routing Public Key Infrastructure. briefly, this is a way to bind a
> > crypto-authentic key to blocks of address space, which will ultimately
> make
> > it possible for network operators to sign their routing announcements and
> > verify the announcements you receive.
> >
> > today our colleagues at renesys published a report on "man in the middle
> > internet hijacking":
> >
> > http://www.renesys.com/2013/11/mitm-internet-hijacking/
> >
> > the key message of this article is this excerpt:
> >
> > ... In practical terms, this means that Man-In-the-Middle BGP route
> > hijacking has now moved from a theoretical concern to something that
> happens
> > fairly regularly, and the potential for traffic interception is very
> real.
> > ...
> >
>
> it's not clear at all that this was MITM intentionally.
> In fact it sort of looks like (more) operational mistakitude ;( AND
> providers NOT route-flitering customers.
>
> A good drum to beat for all customers of ISPs is, I think: "Hey, do
> you prefix filter every single downstream customer? If not, why not?"
>
> >
> > i hope i can persuade all of you to read the renesys article cited above,
> > and to investigate ARIN's RPKI project, in which the ARIN Board of
> Trustees
> > has repeatedly voted to invest the company's technology resources:
> >
> > https://www.arin.net/resources/rpki/index.html
> >
>
> Ideally this helps, once more adoption happens, ISPs to check content
> of their favorite IRR and construct better route filters for their
> customer bgp sessions. (minus, of course the 'have to click through
> webpages to accept the TAL cert... grumble, dead horse beatings,
> grumble)
>
> thnx paul!
> -chris
> _______________________________________________
> ARIN-Discuss
> You are receiving this message because you are subscribed to
> the ARIN Discussion Mailing List (ARIN-discuss at arin.net).
> Unsubscribe or manage your mailing list subscription at:
> http://lists.arin.net/mailman/listinfo/arin-discuss
> Please contact info at arin.net if you experience any issues.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.arin.net/pipermail/arin-discuss/attachments/20131120/ab6aeae9/attachment.html>


More information about the ARIN-discuss mailing list