North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

[admin] [summary] RE: YouTube IP Hijacking

  • From: Alex Pilosov
  • Date: Mon Feb 25 14:57:53 2008

A bit of administrativia:

This thread generated over a hundred posts, many without operational 
relevance or by people who do not understand how operators, well, operate, 
or by people who really don't have any idea what's going on but feel like 
posting. 

I'd like to briefly summarize the important things that were said. If you 
would like to add something to the thread, make sure you read this post in 
entirety.

Sorry if I didn't attribute every suggestion to a poster.

Facts:

* AS17557 announced more specific /24 to 3491, which propagated to wider 
internets

* Chronology (by Martin@Renesys)
http://www.renesys.com/blog/2008/02/pakistan_hijacks_youtube.shtml

* Things suggested to possibly address the problem:

** IRR filtering (using IRRPT http://sourceforge.net/projects/irrpt/ to 
generate filter lists)

** Notification when origin of a given route changes 
http://www.cs.ucla.edu/~mohit/cameraReady/ladSecurity06.pdf
http://www.ris.ripe.net/myasn.html
http://cs.unm.edu/~karlinjf/IAR/index.php (from pgBGP)

** pgBGP to depref "suspicious routes" 
http://www.nanog.org/mtg-0606/pdf/josh-karlin.pdf (unclear the number of 
false positives that will adversely affect connectivity)

** sbgp/sobgp - require full authentication for each IP block, and thus 
unlikely to be implemented until certificate chains are in place, and 
vendors release code that does verification, and operators are happy 
enough running it.

Other things addressed:

* Fragility of Internet: 

** Nobody brought up the important point - the BGP announcement filtering
are only as secure as the weakest link. No [few?] peers or transits are
filtering "large" ISPs (ones announcing few hundred routes and up). There
are a great many of them, and it takes only one of them to mess up 
filtering a downstream customer for the route to be propagated.

** Paul Wall brought up the fact that even obviously bogus routes (1/8 and
100/7) were accepted by 99% of internet during an experiment. Will it take
someone announcing 9/11 to get us to pay attention? (ok, bad joke)

** What I'd like to see discussed: Issues of filtering your transit
downstream customers, who announce thousands of routes. Does *anyone* do
it?

* Typos vs Malicious announcements

** Some ways of "fixing" the problem (such as IRR filtering) only address 
the typos or unintentional announcements. There's full agreement that IRR 
is full of junk, which is not authenticated in any sort. 

** Things like PHAS won't work if hijacker keeps the origin-AS same (by 
getting their upstream to establish session with different ASN)

** What I'd like to see discussed: Who (ICANN/RIRs/LIRs) is actively 
working on implementing "chain of trust" of IP space allocations?

* Ways to address the issue without cooperation of 3491: 
** Filtering anything coming out of 17557
** Suggestions given: 
** What I'd like to see discussed: Can an network operator, *today*,
filter the "possibly bogus" routes from their peers, without manual
intervention, and without false positives?

* Yelling at people who don't filter

** Per above, 3491 isn't the only one who filters. In fact, claims 
were made that *nobody* filters "large enough" downstreams. (beyond 
aspath/maxpref)

** *please* do not post additional comments about pccw bad, etc.

* Malicious vs mistaken on part of AS17557 and 3491:

** *please* do not post speculation unless you have facts to back it up.

** Any discussions of cyber-jihad are off-topic unless you can produce the 
fatwa to back it up.