[arin-ppml] [EXT] Re: Open Petition for ARIN-prop-266: BGP Hijacking is an ARIN Policy Violation

Owen DeLong owen at delong.com
Wed May 8 15:47:08 EDT 2019

> On May 7, 2019, at 10:03 PM, Michel Py <michel at arneill-py.sacramento.ca.us> wrote:
> Hi Owen,
> <disclaimer>
> Owen and I have been interacting for decades and we have met in person.
> We have radically opposed opinions on some heavy topics that I will not mention here.
> Although it was private, I have admitted publicly that Owen is the only person
> who proved me wrong in the matter of public policy. I respect that.
> For the other undisclosed topics, _I_ am right and _HE_ is wrong, of course.
> </disclaimer>

<disclamer rebuttal>
Actually, the belief that he is right is simply one more topic about which Michel remains wrong. ;-)
It’s true Michel and I have a long history of disagreement on many topics, but we have
always managed to do so respectfully and we often learn from each other along the way.
</disclaimer rebuttal>

>> Let me take a stab...
> Allow me to be the devil's advocate. You of all people would admit that I'm good at it ;-)

I’ve always believed that you were likely advocating for evil… Yes. (Hey, you said it first)

> Let's call this academic.

This whole thing strikes me as a mostly academic exercise, so agreed.
>> BGP Hijacking is the BGP origination of a prefix by someone other than the RIR registrant
>> (if any) who does so without the express permission of the registrant or beyond the term
>> of such permission by registrant.

Based on Michel’s comments below, I amend my proposed definition to the following:

BGP Hijacking is the BGP origination and external announcement to at least one other member of
the cooperating entities collectively known as “the internet” of a prefix by someone other than the
RIR registrant (if any) who does so without the express permission of the registrant or beyond
The term of such permission by registrant.

> Sounds right to me; may be to broad in some corner cases.

Feel free to elaborate.

>>> - Squatting.
>>> - Loitering.
>> I’m not sure I agree that these are not hijacking.
> You are not the only one (that includes me; I started this by asking what we do for people who hijack DoD prefixes, while squatting would be more precise).
> Please allow me to remind (not you but other readers) that, after this very interesting academic discussion ends, ARIN has even less options to deal with these as for what we agree is hijacking, which means zero minus zero divided by zero.

You’ve now produced a mathematically undefined result. That cannot result in good policy. :p

> I think that Loitering is not, as it often does not involve BGP but rather an IGP such as ISIS, OSPF, or EIGRP.
> (I have a couple cases on tap). I understand that this is playing with words, because the prefix is in used without the express permission of the registrant, but this technically is not BGP origination.
> Typical case use : business reorganization (split) that has left a part using prefixes that the other part has not transferred. Renumbering is out of the picture, so one loiters.

I don’t think that prefixes belong to entities as I don’t believe they are property, and I think that any conflation of an idea of the prefix itself being property is a source of a great fraction of the misunderstandings in this topic so far.

Once we recognize that the prefix itself is not property, but that what is tangible and real is the registration of a particular prefix to a particular entity within a particular registry, we have the basis for better understanding. Once we build upon that with the realization that among cooperating entities that choose to use the particular registry in question as an authoritative representation of legitimacy of control over the use of a given prefix within the context of interconnected networks operating on that basis, we have the existing internet (mostly) with the caveat that it is also connected to some entities that appear not to treat the RIR system as entirely authoritative.

A network that is not attached to that group (i.e. one that is not announcing anything in to BGP either directly or via proxy (here Mr. ISP, please announce our prefix X::/Y for us)) isn’t really a concern of registry policy as far as I’m concerned. As such, I really don’t think it matters what set of numbers they choose to use so long as their use of those numbers does not cause harmful interference to others in the attached cooperating entities collection of networks. (Kind of like Part 49 FCC rules for low power ISM applications).

> As of Squatting, I would agree that it often is BGP origination, but then one could argue that iBGP and eBGP are not the same thing.
> They are not, actually; for example, eBGP does not require a full-mesh or route reflectors, while iBGP does.
> The Cisco administrative distance is 20 for eBGP and 200 for iBGP. https://learningnetwork.cisco.com/thread/25632
> Look at the link above, it's not the same protocol.

By origination, I did intend (through implication) to include origination and announcement in eBGP, but I suppose being more explicit would have been a better choice.

> Being the devil, I argue that if the correct route-maps and prefix-lists are in place, iBGP is my own business and that hijacking applies only to eBGP.

Agreed. Definition amended accordingly.

> Typical use case : large org that has outgrown 10/8 and squats un-announced DoD prefix.
> They know it's dumb, but IPv6 does not cut it either. They pick the lesser of two evils.

I’d argue that IPv6 is the lesser of evils and fixing whatever broken system they have that causes IPv6 to “not cut it” is the least evil.

> Regardless the technical difficulties, it would have been nice to have 240/4.

In order to make 240/4 work, we would have had to update the code on virtually every system on the internet and most of the applications.
In order to make IPv6 work, we need to update the code on virtually every system on the internet and most of the applications.

If we spend the same effort making 204/4 work instead of making IPv6 work, then when we run out of 24/4 space (and we would), we are no better off than when we started. If, instead, we spend that effort enabling IPv6, at the end we have a completed transition with the ability to deprecate IPv4 and make everyone’s lives significantly better.

> Trying to be fair, I think that the difference between Squatting and Loitering should be tied to being a service provider and carrying public / customer / subscriber traffic over the squatted prefix(es). I think service providers should have a different set of expectations than end customers. My $0.02.

I have no response to this that is fit for public discourse.

>>> - Some forms of DDOS mitigation.
>>> - Leasing (same as DDOS mitigation, it's technically hijacking with permission).
>> Presumably these involve permission of the registrant and are therefore 
> Trying to second-guess the end of your sentence : and therefore are not hijacking.
> I agree, but as mentioned earlier this is a typical contractual dispute : he said, she said.
> How could we know, from the outside ?

Yes… Sorry about the truncation, not sure how that happened. I swear I typed it.

Also agree about the contract dispute thing.

>>> - Traffic Engineering.
>>> - Traffic Shaping.
> Presumably these do not involve BGP origination of the prefix in question except in the case of TE by the prefix owner.
> Agreed, but the question was asked very recently.

Yep, my answer is that they are excluded from the definition of hijacking.

>>> - Interception (lawful and not).
>> Well, I can see how we might say that lawful intercept is not hijacking (I’m not sure I agree
>> 100%), but how would non-lawful intercept through route origination be classified as not hijacking?
> It would not, but for the sake of clarity it probably is an unusual form of interception; in my realm, it's done by spanning a port, fiber taps, sending the USS Jimmy Carter on the ocean floor to sniff Russian cables, and other methods that are possibly more physically intrusive than hijacking but logically less visible. Hijacking is not very discreet, and good interception (lawful or not) is.
> I will have a vodka-martini, please. Shaken, not stirred.

Another person ordering a weak-ass watered down martini and being snooty about it.

I would say that physical intrusion based interception does not constitute BGP hijacking unless that
physical intrusion is used to originate a route in BPG for the purposes of hijacking.

It may represent traffic hijacking, but it isn’t BGP hijacking, which I believe to be the thread at hand
and the alleged remit of the proposal being discussed.

>>> - ASN impersonation.
>>> - ASN usurpation.
>> I agree that these in and of themselves are not hijacking, but, using said impersonated or usurped
>> ASN as a prepend or on a route originated as defined above would, IMHO, still be a form of hijacking.
>> (The ASN use itself isn’t, but the origination of the route is still hijacking).
> Agreed.
> I have a good use case of AS impersonation, bear with me. I am the devil.

As stated above, I have long suspected as much. ;-)

> For very questionable purposes, I am going to find a place to establish an eBGP session with me and pretend I am you; possibly by buying transit from them, in an IX or a colo, let's say in the LACNIC region.
> My name is now Miguel Yp, I don't speak good Spanish but this is California and that resource is easy to procure, and I'm going to invent some good BS that I am the newly created South America subsidiary of your business. With some social engineering, I am going to bring up that BGP session with your ASN and your prefixes. RPKI can't do much, because it will match the prefix to the ASN.

Now you’re just quoting my playbook where I have repeatedly stated that in its current state, RPKI is little more than a cryptographically signed instruction manual for proper impersonation.

> As soon as my eBGP session is up, I will start to spam and scam the latin world with whatever spam or scam is the flavor of the day, would it be political agitation, IRS delaying your refund, your Christmas present shipping cancelled, enlargement products, or the widow of a deposed dictator who desperately needs someone to cash in 50 million of Zimbabwe dollars.
> And of course, it's your fault, because it's your ASN and your prefix. By the time ARIN and LACNIC figure it out, I will be in Panama enjoying it.

I think under the circumstances, if I were you, I’d find a non-extradition country in the APNIC region. In Panama, LACNIC may very well come after you.

> If you don't whine too loudly about it, I'll transfer 30% of the profits to you :-D
> Of course, you can't tell anyone about our secret deal.

Yeah, I’d pass on that deal, but I suspect you might find some takers.

>>> - AS-PATH manipulations.
>> Agreed, except in the case where the announcement resulting still meets the origination test defined above.
> +1
>>> - The relation between MPLS and BGP.
>>> - VRFs.
>> In the cases where these activities fail the above test, I would agree. In the cases where
>> they meet the above test, I would argue that they still constitute hijacking.
> Explain that to people who want a constitutional amendment that prohibits drinking wine and ignores moonshine.
> Oops my bad, you have tried indeed. Feeding trolls^H^H^H^H^H^H^H^H^H^H^H^H herding cats, lately ?



More information about the ARIN-PPML mailing list