[AusNOG] BGP injection / IP Hijacking / Peer Trust
Sean K. Finn
Sean.Finn at ozservers.com.au
Thu Aug 28 12:57:45 EST 2008
I agree. It really becomes a question of 'Are my routes valid from those that I am accepting them from'? No matter where the routes come from.
Just for clarification, when I refer to 'peering' I'm also including ISP<->ISP NON-FREE Peering, i.e. paid-for-transit links, or a one-to-one relationship.
(Which may or may not filter your bgp in/out requests / advertisements). I.e. An operator at PAKISTAN TELECOM made a typo with a route, and the relationship between Pakistan Telecome and STIX (SingTel Internet Exchange) was one of trust and non-filtering. Being and Optus Customer, with Optus owned by SingTel, Optus appears to natively trusts announcements on STIX, we had a /24 knocked off the net for a couple of hours until we got the message far enough along the line to fix it up.
Multilateral peering being something like PIPE where it can be a one to many or many to many relationship.
Multilateral peering reminds me of an old poem:
There once was a vampire named Drouin,
Who took a succubus back to his room.
They argued all night,
Over who had the right,
To suck what, and from where, and from whom.
From: Jason Sinclair [mailto:Jason.Sinclair at staff.pipenetworks.com]
Sent: Thursday, 28 August 2008 12:50 PM
To: Sean K. Finn; ausnog at ausnog.net
Subject: RE: [AusNOG] BGP injection / IP Hijacking / Peer Trust
I am not sure this is just a peering issue - traffic hijacking can occur "legitimately" and has in the past when large O/S networks (non-peer) make a "mistake". I think for this to be resolved completely some level of route to AS verification needs to be able to be performed on the fly (as is indicated as one approach in the articles). Filtering of course is another manual approach, however the validity of routes being advertised would need to be checked.
From: ausnog-bounces at lists.ausnog.net [mailto:ausnog-bounces at lists.ausnog.net] On Behalf Of Sean K. Finn
Sent: Thursday, 28 August 2008 11:28 AM
To: ausnog at ausnog.net
Subject: [AusNOG] BGP injection / IP Hijacking / Peer Trust
There seems to be some publicity about hijacking other's IP ranges with BGP to snoop/sniff/intercept traffic.
Now, of course this is a known thing, and thankfully doesn't happen too much in Australia, but I've noticed one thing from the flamewar that starts with the comments at the end of this article.
It appears that one can rent a server or two, link into peering fabric at several points in the U.S, and announce just about anyone's range to intercept traffic then re-broadcast it.
Effectively placing themselves inside a trusted portion of the network where no filtering on announcements is done
When the Big G, Google, presented at AUSNOG2 and stated that they were looking to form unilateral peering and declined to comment on multilateral peering, and suddenly, after reading this article, it began to make sense.
Do you trust your PEERS at a multi-lateral peering point? Obviously for some, the answer is no.
Thankfully here in Aus most players know most other players that are peering or announcing on WAIX, PIPE, Equinix etc, so it's not such a big deal with random elements hooking in and sniffing our traffic if they manage to be able to advertise our IP ranges.
My question / comments / ponderings to the list are really
-What's more trustworthy, a carrier unilateral peering relationship, unilateral peering, multilateral peering.
If Multilateral peering is shaping up to being such a trust issue, does anyone have any comment or suggestions on how we can *maintain* the trust of the current state of peering in Australia so that we are not affected by this scourge in the future?
I'm just throwing it out there.
Sean K Finn.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the AusNOG