[arin-ppml] BGP Hijacking Definition

Keith W. Hare Keith at jcc.com
Mon May 6 13:18:36 EDT 2019 

Michael,



> If an organization sets up routing so that all connections from the inside of its network to a particular

> resource outside of its network go through an particular router/proxy server, Is that BGP Hijacking?



Can you develop this one a little further ? Are we talking about traffic engineering / traffic shaping / net neutrality / packet classification / QOS ?



Let’s look at the simple network example:



A<-->G1<->G2<-->B



G1 and G2 each could be some combination of:

1.  Router

2.  Simple Firewall

3.  Firewall with deep-packet inspection

4.  Proxy Server

5.  Router that records all packets for security audits

6.  Router that records all packets and sends them to a competing organization/nation

7.  Router that adds delays for all packets for a particular



One problem I see with coming to a clear definition of BGP or Route hijacking is that techniques used for network security are not hugely different from the techniques used for malicious activities.



Keith



-----Original Message-----
From: Michel Py [mailto:michel at arneill-py.sacramento.ca.us]
Sent: Monday, May 6, 2019 12:41 PM
To: Keith W. Hare <Keith at jcc.com>; arin-ppml at arin.net
Subject: RE: BGP Hijacking Definition



Hi Keith,



Besides what you wrote (comments in-line), I think we need a very clear definition of what is a private network.

If an organization is an operator, ISP, or hosting company, the part of their network that carries public traffic is not private.

For a router, the management interface (if separate) is private, it's likely on a separate VLAN too. But the interfaces that carry traffic form / to customers, subscribers, and hosted services are public.





> Keith W. Hare wrote :

> If an organization uses a IPv4 prefix allocated/assigned to some other organization (the DoD 30.0.0.0/8 for example)

> within their internal network and filters out all references at the edges of their network so that the general public

> never sees any references, is that BGP Hijacking? I’m pretty sure we can agree that this is not BGP hijacking.



If you would add to that that they do not transport any non-organization data over it / be in context with what I wrote above about private network, I would agree.

I'm not sure there is a name for that, would be a good idea to have one. Loitering ?



> If an organization uses a IPv4 prefix allocated/assigned to some other organization (the DoD 30.0.0.0/8 for example)

> within their publically visible network and filters out all references at the edges of their network so that the rest

> of the internet never sees any references, is that BGP Hijacking? This is an edge case that we need to consider carefully.



I agree, especially if they transport customer / subscriber data over it. I think we should call that squatting.



> If Organization A has an agreement/letter of authority to announce addresses that has been allocated/assigned to

> Organization B, and Organization B wants to replace Organization A with Organization C, but there was some onerous

> termination clause with Organization A that has not been met so Organization A continues to announce Organization B’s

> address space, is that BGP Hijacking? To me, this sounds like a contract dispute that depends on the contents of the

> private contract between A and B.



Correct. ARIN has allocated addresses to organization B. In that case, org A and org B have to sort out their differences in the legal system.

However, we have to be careful with similarities with your next point just below. What are the differences between them ? the lack of a contract or agreement, or the fact that ARIN does not have access to it ? or some other factor ?



> If an organization A does not have a an agreement/letter of authority to announce addresses that has been

> allocated/assigned to Organization B but does so anyhow and allows that announcement to propagate to the

> general internet, is that BGP Hijacking? Seems highly likely to be BGP Hijacking.



I agree. Same as above though, we need a very clear definition of what constitutes not having an agreement or a contract before ARIN can make the determination that it is indeed hijacking.



> From the outside, how do we know that an agreement/letter of authority does not exist, is invalid, or is forged?



This is where we have to be very complete, very comprehensive, and as much exhaustive as possible.





> If an organization sets up routing so that all connections from the inside of it’s network to a particular

> resource outside of its network go through an particular router/proxy server, Is that BGP Hijacking?



Can you develop this one a little further ? Are we talking about traffic engineering / traffic shaping / net neutrality / packet classification / QOS ?



Michel.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.arin.net/pipermail/arin-ppml/attachments/20190506/5f2cfb7c/attachment.htm>

More information about the ARIN-PPML mailing list