[arin-ppml] [EXT] Re: Open Petition for ARIN-prop-266: BGP Hijacking is an ARIN Policy Violation

Owen DeLong owen at delong.com
Tue May 7 22:44:09 EDT 2019

> On May 7, 2019, at 12:25 , Michel Py <michel at arneill-py.sacramento.ca.us> wrote:
> Hi Keith,
>> Keith W. Hare wrote :
>> I have not yet seen a complete clear consistent definition of BGP/Route
>> hijacking. Such a definition is a prerequisite to defining a meaningful policy. 
> I agree.
> And in order to have that clear consistent definition of what hijacking is, we also have to define what it is not.
> Included, but not limited to :
Let me take a stab…

BGP Hijacking is the BGP origination of a prefix by someone other than the RIR registrant (if any) who does so without
the express permission of the registrant or beyond the term of such permission by registrant.

> - Squatting.
> - Loitering.

I’m not sure I agree that these are not hijacking.

> - Some forms of DDOS mitigation.
> - Leasing (same as DDOS mitigation, it's technically hijacking with permission).

Presumably these involve permission of the registrant and are therefore 

> - Traffic Engineering.
> - Traffic Shaping.

Presumably these do not involve BGP origination of the prefix in question except in the case of TE by the prefix owner.

> - Interception (lawful and not).

Well, I can see how we might say that lawful intercept is not hijacking (I’m not sure I agree 100%), but how would non-lawful
intercept through route origination be classified as not hijacking?

> - ASN impersonation.
> - ASN usurpation.

I agree that these in and of themselves are not hijacking, but, using said impersonated or usurped ASN as a prepend or
on a route originated as defined above would, IMHO, still be a form of hijacking. (The ASN use itself isn’t, but the origination
of the route is still hijacking).

> - AS-PATH manipulations.

Agreed, except in the case where the announcement resulting still meets the origination test defined above.

> - The relation between MPLS and BGP.
> - VRFs.

In the cases where these activities fail the above test, I would agree. In the cases where they meet the above test, I would
argue that they still constitute hijacking.

>> To me, ARIN’s current practice is a good way of responding to BGP/Route hijacking reports.
>> It includes the flexibility, investigation, and communication necessary to identify and
>> correct issues. The current practice works by using communication and persuasion. It has
>> the advantage that the details are not codified in policy and so can adjust depending on
>> the actual details and intent discovered during the investigation.
> +1
> I trust that ARIN's staff has the necessary training, experience, background, and technical expertise for such practice.
> Which unfortunately I can't say the same about some of the participants in the recent debate.
> I welcome questions, and I hope ARIN will continue to weigh correctly the assertions of people who have never configured BGP on a production network.



More information about the ARIN-PPML mailing list