[arin-ppml] prop266 - re-framing the discussion

Carlos Friaças cfriacas at fccn.pt
Thu May 2 18:22:13 EDT 2019


On Thu, 2 May 2019, Tom Samplonius wrote:

>   Well, since transit providers universally use IRR, it is unlikely that hijacks even work, unless there are legacy ports where IRR was not implemented.

Yes, filters do fail sometimes... :/

>   http://peering.exposed/ has a list of IX that have secure route servers (secure meaning that they implement IRR).  It is a significant number, and it is increasing.

Route servers are not an exclusive way of peering.
Some well-known networks have a policy not to use route servers, afaik.

>   The problem with this BGP hi-jack proposal, is the problem statement 
> itself.  How many hijacks are happening in the ARIN region per month? 
>  10?  100?  1000?

How many of them reach an ARIN mailbox?

In fact we got some numbers from LACNIC (i.e. cases reported to LACNIC), 
but i haven't seen it from ARIN yet.

> And why is IRR not the solution to hijacks, since it is widely (but not
> universally) implemented?

Well, if it's possibly for anyone to add records to an IRR database 
without proper authentication...
RPKI however is different, but while its deployment is immature, something 
at policy level is needed.

> I suspect the number of hijacks in the ARIN region is basically zero, 
> because even if IRR it not universal, it just takes a few larger 
> networks to block the spread of hijacked routes.  And if hijackers can?t
> hijack globally, then why hijack at all?

To inject toxic packets to specific networks.
To capture packets from specific networks.
To divert law enforcement, while doing any of the previous.

> All of the tier 1s that I talk to have moved from manually maintained 
> prefix lists to fully automated IRR maintenance on customer edge ports.

Great! Did that stop business models where hijacks are involved? I guess 
not... :/

>   The Internet Society has created the MANRS initiative 
> (https://www.manrs.org/) to encourage all networks globally to implement 
> route security (among other things), but strangely there hasn?t been a 
> single mention of it in any of these threads.  MANRS is the best way to 
> address hijacking, since it prevents hijacking from even happening 
> (along with other bad things like spoofing).

It's referenced on 
(LACNIC... in spanish)

It will be referenced in updated versions for RIPE and ARIN too.

Unfortunately MANRS takeup is even lower than RPKI, so something at policy 
level is needed (i'm repeating myself...)


> --
> Tom Samplonius
> VP of Technology
> Urban Communications Inc.
> tsamplonius at ubn.ca

More information about the ARIN-PPML mailing list