[arin-ppml] Draft Policy ARIN-2014-12: Anti-hijack Policy
George Herbert
george.herbert at gmail.com
Fri Mar 28 21:09:15 EDT 2014
However, reading the paper, the "AR" (allocated+routed) traffic they
received, 35% or so, covered traffic which theoretically should have been
routed more specifically but their covering prefix effectively captured
instead.
I.e., oops.
One can presume that this traffic that showed at least mid-stream sessions
(and not SYNs) was for prefixes where "upstreams" had a more-specific route
that hadn't propagated down to Merit's direct upstreams, for some reason.
88% of the total traffic (if I read it right) was SYN (12%) or SYNACK
(76%) in the 3-month dataset, mostly on ports 80 and 443. I.e., valid
destination webserver trying to establish the handshake unable to find a
route back to a (theoretically properly allocated and routed) source.
At the very least this raises a question as to whether it's wise to allow
such experiments, where a significant amount of apparently valid traffic
(allocated, and for which routing info was identified in further research)
gets effectively MITMed as it flows.
That may not have been the intention; the theory that "oh, more specific
will just override our research announcement" is colorable. But the actual
data shows the assumptions fails; they did intercept a lot of legit (or
apparently legit) traffic. Hence, oops, and perhaps we should not let this
happen again.
On Fri, Mar 28, 2014 at 10:05 AM, David Farmer <farmer at umn.edu> wrote:
> On 3/28/14, 11:57 , Bill Buhler wrote:
>
>> So if my understanding is correct, they basically performed a routing
>> man in the middle attack on live IPv6 prefixes. Pardon my understanding
>> level, but how did they keep from creating routing loops and service
>> interruptions. I'm also a little concerned about performance and link
>> loads. Are my concerns legitimate and inline?
>>
>> Thanks,
>>
>> --Bill
>>
>
> This absolutely WAS NOT an attack. They announced a covering prefix, only
> traffic with no more specific route would follow this route. Think more
> specific default route.
>
>
>
> --
> ================================================
> David Farmer Email: farmer at umn.edu
> Office of Information Technology
> University of Minnesota
> 2218 University Ave SE Phone: 1-612-626-0815
> Minneapolis, MN 55414-3029 Cell: 1-612-812-9952
> ================================================
> _______________________________________________
> PPML
> You are receiving this message because you are subscribed to
> the ARIN Public Policy Mailing List (ARIN-PPML at arin.net).
> Unsubscribe or manage your mailing list subscription at:
> http://lists.arin.net/mailman/listinfo/arin-ppml
> Please contact info at arin.net if you experience any issues.
>
--
-george william herbert
george.herbert at gmail.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.arin.net/pipermail/arin-ppml/attachments/20140328/79e9e874/attachment.htm>
More information about the ARIN-PPML
mailing list