[arin-ppml] BGP Hijacking Definition

Keith W. Hare Keith at jcc.com
Mon May 6 09:26:05 EDT 2019


ARIN-prop-266 would like to establish that "BGP Hijacking is an ARIN Policy Violation"



The various threads around this proposal have generated a lot of discussion that suggests that many people have a view of what BGP hijacking is, but without clear consensus on the definition, there will be no progress.



Owen Delong described two technical mechanisms used for BGP hijacking:



1.       (Easiest and most common) Find a location in the internet where you can inject a route and have it propagate and exploit it.



2.       (less common but does happen) Find address space issued to a defunct organization or an organization that does not appear to be actively using it and attempt to steal it from them through the RIR process by creating a new similar looking organization and then attempting to fraudulently "reclaim" the resources.



I think the ARIN policies & practice already handle mechanism 2, so I'm going to ignore that for the moment.



>From what I understand, injecting a route someplace could occur in several ways:



1.a. An organization announcing address space to the general internet for which that organization does not have appropriate permission to announce.



1.b. Someone injecting routes to subvert or replace the appropriate routing.



Some questions/scenarios about 1.a.:



If an organization uses a IPv4 prefix allocated/assigned to some other organization (the DoD 30.0.0.0/8 for example) within their internal network and filters out all references  at the edges of their network so that the general public never sees any references, is that BGP Hijacking? I'm pretty sure we can agree that this is not BGP hijacking.



If an organization uses a IPv4 prefix allocated/assigned to some other organization (the DoD 30.0.0.0/8 for example) within their publically visible network and filters out all references  at the edges of their network so that the rest of the internet never sees any references, is that BGP Hijacking? This is an edge case that we need to consider carefully.



If Organization A has an agreement/letter of authority to announce addresses that has been allocated/assigned to Organization B, and Organization B wants to replace Organization A with Organization C, but there was some onerous termination clause with Organization A that has not been met so Organization A continues to announce Organization B's  address space, is that BGP Hijacking? To me, this sounds like a contract dispute that depends on the contents of the private contract between A and B.



If an organization A does not have a an agreement/letter of authority to announce addresses that has been allocated/assigned to Organization B but does so anyhow and allows that announcement to propagate to the general internet, is that BGP Hijacking? Seems highly likely to be BGP Hijacking. From the outside, how do we know that an agreement/letter of authority does not exist, is invalid, or is forged?



If an organization sets up routing so that all connections from the inside of it's network to a particular resource outside of its network go through an particular router/proxy server, Is that BGP Hijacking?





Keith


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.arin.net/pipermail/arin-ppml/attachments/20190506/c0561fb3/attachment.htm>


More information about the ARIN-PPML mailing list