[arin-ppml] [EXT] Re: Open Petition for ARIN-prop-266: BGP Hijacking is an ARIN Policy Violation

[Michel Py]

Hi Owen,

<disclaimer>
Owen and I have been interacting for decades and we have met in person.
We have radically opposed opinions on some heavy topics that I will not mention here.
Although it was private, I have admitted publicly that Owen is the only person
who proved me wrong in the matter of public policy. I respect that.
For the other undisclosed topics, _I_ am right and _HE_ is wrong, of course.
</disclaimer>

> Owen DeLong wrote :
> A fly swat is not the right tool to drive a nail and will not work

Well stated.

> Let me take a stab...

Allow me to be the devil's advocate. You of all people would admit that I'm good at it ;-)
Let's call this academic.

> BGP Hijacking is the BGP origination of a prefix by someone other than the RIR registrant
> (if any) who does so without the express permission of the registrant or beyond the term
> of such permission by registrant.

Sounds right to me; may be to broad in some corner cases.


>> - Squatting.
>> - Loitering.

> I’m not sure I agree that these are not hijacking.

You are not the only one (that includes me; I started this by asking what we do for people who hijack DoD prefixes, while squatting would be more precise).

Please allow me to remind (not you but other readers) that, after this very interesting academic discussion ends, ARIN has even less options to deal with these as for what we agree is hijacking, which means zero minus zero divided by zero.

I think that Loitering is not, as it often does not involve BGP but rather an IGP such as ISIS, OSPF, or EIGRP.
(I have a couple cases on tap). I understand that this is playing with words, because the prefix is in used without the express permission of the registrant, but this technically is not BGP origination.
Typical case use : business reorganization (split) that has left a part using prefixes that the other part has not transferred. Renumbering is out of the picture, so one loiters.

As of Squatting, I would agree that it often is BGP origination, but then one could argue that iBGP and eBGP are not the same thing.
They are not, actually; for example, eBGP does not require a full-mesh or route reflectors, while iBGP does.
The Cisco administrative distance is 20 for eBGP and 200 for iBGP. https://learningnetwork.cisco.com/thread/25632
Look at the link above, it's not the same protocol.

Being the devil, I argue that if the correct route-maps and prefix-lists are in place, iBGP is my own business and that hijacking applies only to eBGP.

Typical use case : large org that has outgrown 10/8 and squats un-announced DoD prefix.
They know it's dumb, but IPv6 does not cut it either. They pick the lesser of two evils.
Regardless the technical difficulties, it would have been nice to have 240/4.

Trying to be fair, I think that the difference between Squatting and Loitering should be tied to being a service provider and carrying public / customer / subscriber traffic over the squatted prefix(es). I think service providers should have a different set of expectations than end customers. My $0.02.


>> - Some forms of DDOS mitigation.
>> - Leasing (same as DDOS mitigation, it's technically hijacking with permission).

> Presumably these involve permission of the registrant and are therefore 

Trying to second-guess the end of your sentence : and therefore are not hijacking.
I agree, but as mentioned earlier this is a typical contractual dispute : he said, she said.
How could we know, from the outside ?


>> - Traffic Engineering.
>> - Traffic Shaping.

Presumably these do not involve BGP origination of the prefix in question except in the case of TE by the prefix owner.

Agreed, but the question was asked very recently.


>> - Interception (lawful and not).

> Well, I can see how we might say that lawful intercept is not hijacking (I’m not sure I agree
> 100%), but how would non-lawful intercept through route origination be classified as not hijacking?

It would not, but for the sake of clarity it probably is an unusual form of interception; in my realm, it's done by spanning a port, fiber taps, sending the USS Jimmy Carter on the ocean floor to sniff Russian cables, and other methods that are possibly more physically intrusive than hijacking but logically less visible. Hijacking is not very discreet, and good interception (lawful or not) is.

I will have a vodka-martini, please. Shaken, not stirred.


>> - ASN impersonation.
>> - ASN usurpation.

> I agree that these in and of themselves are not hijacking, but, using said impersonated or usurped
> ASN as a prepend or on a route originated as defined above would, IMHO, still be a form of hijacking.
> (The ASN use itself isn’t, but the origination of the route is still hijacking).

Agreed.
I have a good use case of AS impersonation, bear with me. I am the devil.

For very questionable purposes, I am going to find a place to establish an eBGP session with me and pretend I am you; possibly by buying transit from them, in an IX or a colo, let's say in the LACNIC region.
My name is now Miguel Yp, I don't speak good Spanish but this is California and that resource is easy to procure, and I'm going to invent some good BS that I am the newly created South America subsidiary of your business. With some social engineering, I am going to bring up that BGP session with your ASN and your prefixes. RPKI can't do much, because it will match the prefix to the ASN.
As soon as my eBGP session is up, I will start to spam and scam the latin world with whatever spam or scam is the flavor of the day, would it be political agitation, IRS delaying your refund, your Christmas present shipping cancelled, enlargement products, or the widow of a deposed dictator who desperately needs someone to cash in 50 million of Zimbabwe dollars.
And of course, it's your fault, because it's your ASN and your prefix. By the time ARIN and LACNIC figure it out, I will be in Panama enjoying it.

If you don't whine too loudly about it, I'll transfer 30% of the profits to you :-D
Of course, you can't tell anyone about our secret deal.

>> - AS-PATH manipulations.

> Agreed, except in the case where the announcement resulting still meets the origination test defined above.

+1

>> - The relation between MPLS and BGP.
>> - VRFs.

> In the cases where these activities fail the above test, I would agree. In the cases where
> they meet the above test, I would argue that they still constitute hijacking.

Explain that to people who want a constitutional amendment that prohibits drinking wine and ignores moonshine.
Oops my bad, you have tried indeed. Feeding trolls^H^H^H^H^H^H^H^H^H^H^H^H herding cats, lately ?

Michel.