[arin-ppml] BGP Hijacking Definition

Larry Ash lar at mwtcorp.net
Mon May 6 14:11:37 EDT 2019 

On Mon, 6 May 2019 16:40:42 +0000
  Michel Py <michel at arneill-py.sacramento.ca.us> wrote:
> Hi Keith,
> 
> Besides what you wrote (comments in-line), I think we need a very clear definition of what is a private network.
> If an organization is an operator, ISP, or hosting company, the part of their network that carries public traffic is not 
>private.
>For a router, the management interface (if separate) is private, it's likely on a separate VLAN too. But the interfaces that 
>carry traffic form / to customers, subscribers, and hosted services are public.
> 
I am afraid I cannot agree to this definition.
First if all, if traffic is either public or private saying public traffic cannot
be private isn't very helpful.
Beyond that, we have a bit of a problem in that RFC1918 is so used by customers that you cannot
rely on being able to use it much if you are trying attach to multiple customers in more than a
trivial way like management interfaces.
There are systems and services that are so sensitive or compromise so costly that it is imperative
that no contact from  outside the local ASN be allowed. It becomes a form of Russian roulette to put
a world routable address on them. So we have had to come up with an alternative. Many have resorted
to 30.0.0.0/8 in the voice community since the attacks on voice resources are so heavy and persistent
that a ddos can result from trying to use packet filters to protect some systems. I would argue that
if a host and the server that provides service to that host are within the same ASN then the network
and it's traffic is private.

Michel's definition also has grey areas when it comes to ip-ip tunnels. If tunnel traffic has what we
all would call public traffic is the tunnel itself public?

Does ARIN or any of the other RIR's really want to get into these kind of network engineering and
operations debates?

Larry Ash
Mountain West Technologies
> 
>> Keith W. Hare wrote :
>> If an organization uses a IPv4 prefix allocated/assigned to some other organization (the DoD 30.0.0.0/8 for example)
>> within their internal network and filters out all references at the edges of their network so that the general public
>> never sees any references, is that BGP Hijacking? I’m pretty sure we can agree that this is not BGP hijacking.
> 
> If you would add to that that they do not transport any non-organization data over it / be in context with what I wrote above 
>about private network, I would agree.
> I'm not sure there is a name for that, would be a good idea to have one. Loitering ?
> 
>> If an organization uses a IPv4 prefix allocated/assigned to some other organization (the DoD 30.0.0.0/8 for example)
>> within their publically visible network and filters out all references at the edges of their network so that the rest
>> of the internet never sees any references, is that BGP Hijacking? This is an edge case that we need to consider carefully.
> 
> I agree, especially if they transport customer / subscriber data over it. I think we should call that squatting.
> 
>> If Organization A has an agreement/letter of authority to announce addresses that has been allocated/assigned to
>> Organization B, and Organization B wants to replace Organization A with Organization C, but there was some onerous
>> termination clause with Organization A that has not been met so Organization A continues to announce Organization B’s
>> address space, is that BGP Hijacking? To me, this sounds like a contract dispute that depends on the contents of the
>> private contract between A and B.
> 
> Correct. ARIN has allocated addresses to organization B. In that case, org A and org B have to sort out their differences in the 
>legal system.
> However, we have to be careful with similarities with your next point just below. What are the differences between them ? the 
>lack of a contract or agreement, or the fact that ARIN does not have access to it ? or some other factor ?
> 
>> If an organization A does not have a an agreement/letter of authority to announce addresses that has been
>> allocated/assigned to Organization B but does so anyhow and allows that announcement to propagate to the
>> general internet, is that BGP Hijacking? Seems highly likely to be BGP Hijacking.
> 
> I agree. Same as above though, we need a very clear definition of what constitutes not having an agreement or a contract before 
>ARIN can make the determination that it is indeed hijacking.
> 
>> From the outside, how do we know that an agreement/letter of authority does not exist, is invalid, or is forged?
> 
> This is where we have to be very complete, very comprehensive, and as much exhaustive as possible.
> 
> 
>> If an organization sets up routing so that all connections from the inside of it’s network to a particular
>> resource outside of its network go through an particular router/proxy server, Is that BGP Hijacking?
> 
> Can you develop this one a little further ? Are we talking about traffic engineering / traffic shaping / net neutrality / packet 
>classification / QOS ?
> 
> Michel.
> 
> _______________________________________________
> ARIN-PPML
> You are receiving this message because you are subscribed to
> the ARIN Public Policy Mailing List (ARIN-PPML at arin.net).
> Unsubscribe or manage your mailing list subscription at:
> https://lists.arin.net/mailman/listinfo/arin-ppml
> Please contact info at arin.net if you experience any issues.

Larry Ash
Mountain West Technologies
123 W 1st St.
Casper, WY 82601
Office 307 233-8387

More information about the ARIN-PPML mailing list