[arin-ppml] Draft Policy ARIN-2014-12: Anti-hijack Policy

George Herbert george.herbert at gmail.com
Fri Mar 28 21:09:15 EDT 2014 

However, reading the paper, the "AR" (allocated+routed) traffic they
received, 35% or so, covered traffic which theoretically should have been
routed more specifically but their covering prefix effectively captured
instead.

I.e., oops.

One can presume that this traffic that showed at least mid-stream sessions
(and not SYNs) was for prefixes where "upstreams" had a more-specific route
that hadn't propagated down to Merit's direct upstreams, for some reason.
 88% of the total traffic (if I read it right) was SYN (12%) or SYNACK
(76%) in the 3-month dataset, mostly on ports 80 and 443.  I.e., valid
destination webserver trying to establish the handshake unable to find a
route back to a (theoretically properly allocated and routed) source.

At the very least this raises a question as to whether it's wise to allow
such experiments, where a significant amount of apparently valid traffic
(allocated, and for which routing info was identified in further research)
gets effectively MITMed as it flows.

That may not have been the intention; the theory that "oh, more specific
will just override our research announcement" is colorable.  But the actual
data shows the assumptions fails; they did intercept a lot of legit (or
apparently legit) traffic.  Hence, oops, and perhaps we should not let this
happen again.



On Fri, Mar 28, 2014 at 10:05 AM, David Farmer <farmer at umn.edu> wrote:

> On 3/28/14, 11:57 , Bill Buhler wrote:
>
>> So if my understanding is correct, they basically performed a routing
>> man in the middle attack on live IPv6 prefixes. Pardon my understanding
>> level, but how did they keep from creating routing loops and service
>> interruptions. I'm also a little concerned about performance and link
>> loads. Are my concerns legitimate and inline?
>>
>> Thanks,
>>
>> --Bill
>>
>
> This absolutely WAS NOT an attack.  They announced a covering prefix, only
> traffic with no more specific route would follow this route.  Think more
> specific default route.
>
>
>
> --
> ================================================
> David Farmer               Email: farmer at umn.edu
> Office of Information Technology
> University of Minnesota
> 2218 University Ave SE     Phone: 1-612-626-0815
> Minneapolis, MN 55414-3029  Cell: 1-612-812-9952
> ================================================
> _______________________________________________
> PPML
> You are receiving this message because you are subscribed to
> the ARIN Public Policy Mailing List (ARIN-PPML at arin.net).
> Unsubscribe or manage your mailing list subscription at:
> http://lists.arin.net/mailman/listinfo/arin-ppml
> Please contact info at arin.net if you experience any issues.
>



-- 
-george william herbert
george.herbert at gmail.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.arin.net/pipermail/arin-ppml/attachments/20140328/79e9e874/attachment.htm>

More information about the ARIN-PPML mailing list