[arin-ppml] Draft Policy ARIN-2014-12: Anti-hijack Policy

Heather Schiller heather.skanks at gmail.com
Sat Mar 29 15:12:25 EDT 2014


I strongly disagree with the comments that indicate this is not a problem
because in use prefixes will have a more specific.  That is true, only
until they don't have a more specific.  Until an outage causes the more
specific prefix to be withdrawn or improperly propagated or filtered.  This
is one of the things that Merit measured!  This caused Merit to be able to
intercept production traffic.  There is a lot more production IPv6 traffic
online now, then there was when Geoff ran this experiment in April 2012.
 Geoff's experiment in April 2012 occurred before World IPv6 Launch in June
2012, the day when many companies permanently enabled v6 for their web
services and several providers permanently enabled IPv6 for their
customers.  By the time Merit did their experiment, IPv6 was no longer an
experiment.  Real networks carry real traffic for real customers.  What
would you think if it had been an IPv4 /8 instead of an IPv6 /12?  What if
that v4 /8 covered your allocation?  Would you want to rely on not having
an outage to ensure that your traffic wouldn't be intercepted?

This policy is intended to preclude ARIN from issuing a broad LOA for
research, that covers actively assigned prefixes and so that ARIN can't
silently issue an LOA without the assignment being publicly registered.
 This policy is not intended to preclude individuals from issuing LOA for
their own prefixes.

In addition to ARIN having issued an LOA for this /12, there was no
followup to ensure the route was withdrawn when the terms of the LOA ended
(December 31, 2013)   Merit was still announcing, and their upstreams still
propagating, this prefix, at the time of the Nanog meeting in February.
 There is also the failure of all parties to ensure the prefix was
withdrawn at the agreed upon time.


--Heather


On Fri, Mar 28, 2014 at 10:20 PM, Jimmy Hess <mysidia at gmail.com> wrote:

> On Fri, Mar 28, 2014 at 12:30 PM, Morizot Timothy S <
> Timothy.S.Morizot at irs.gov> wrote:
>
>>  Not really. The only traffic that would have gone to them would have
>> been traffic not covered by a more specific route.
>>
>
> Even so...  the  /12  blocks or other covering aggregats are specifically
> not for ARIN's internal use  ---  ARIN  is entrusted with stewardship to
> manage allocation,  and  ARIN has no authority to  co-opt  or use the
> blocks for its own purposes  or to be writing any LOA  for announcements
> covering aggregates  for these blocks which are registered to other
> organizations,
>
> And which improper announcements can break the default route for BGP
> speakers carrying partial tables (filtered by length) and which may cause
> other unwanted and damaging affects.
>
>  --
> -JH
>
> _______________________________________________
> PPML
> You are receiving this message because you are subscribed to
> the ARIN Public Policy Mailing List (ARIN-PPML at arin.net).
> Unsubscribe or manage your mailing list subscription at:
> http://lists.arin.net/mailman/listinfo/arin-ppml
> Please contact info at arin.net if you experience any issues.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.arin.net/pipermail/arin-ppml/attachments/20140329/2f85ae08/attachment-0001.html>


More information about the ARIN-PPML mailing list