[AusNOG] BGP injection / IP Hijacking / Peer Trust

Jason Sinclair Jason.Sinclair at staff.pipenetworks.com
Thu Aug 28 13:06:32 EST 2008



I like it! 



From: ausnog-bounces at lists.ausnog.net
[mailto:ausnog-bounces at lists.ausnog.net] On Behalf Of Sean K. Finn
Sent: Thursday, 28 August 2008 12:58 PM
To: Jason Sinclair; ausnog at ausnog.net
Subject: Re: [AusNOG] BGP injection / IP Hijacking / Peer Trust


Hi  Jason,


I agree. It really becomes a question of 'Are my routes valid from those
that I am accepting them from'? No matter where the routes come from.


Just for clarification, when I refer to 'peering' I'm also including
ISP<->ISP NON-FREE Peering, i.e. paid-for-transit links, or a one-to-one


(Which may or may not filter your bgp in/out requests / advertisements).
I.e. An operator at PAKISTAN TELECOM made a typo with a route, and the
relationship between Pakistan Telecome and STIX (SingTel Internet
Exchange) was one of trust and non-filtering. Being and Optus Customer,
with Optus owned by SingTel, Optus appears to natively trusts
announcements on STIX, we had a /24  knocked off the net for a couple of
hours until we got the message far enough along the line to fix it up.


Multilateral peering being something like PIPE where it can be  a  one
to many  or many to many relationship.


Multilateral peering reminds me of an old poem:


There once was a vampire named Drouin,

Who took a succubus back to his room.

They argued all night,

Over who had the right,

To suck what, and from where, and from whom.





From: Jason Sinclair [mailto:Jason.Sinclair at staff.pipenetworks.com] 
Sent: Thursday, 28 August 2008 12:50 PM
To: Sean K. Finn; ausnog at ausnog.net
Subject: RE: [AusNOG] BGP injection / IP Hijacking / Peer Trust


I am not sure this is just a peering issue - traffic hijacking can occur
"legitimately" and has in the past when large O/S networks (non-peer)
make a "mistake". I think for this to be resolved completely some level
of route to AS verification needs to be able to be performed on the fly
(as is indicated as one approach in the articles). Filtering of course
is another manual approach, however the validity of routes being
advertised would need to be checked.





From: ausnog-bounces at lists.ausnog.net
[mailto:ausnog-bounces at lists.ausnog.net] On Behalf Of Sean K. Finn
Sent: Thursday, 28 August 2008 11:28 AM
To: ausnog at ausnog.net
Subject: [AusNOG] BGP injection / IP Hijacking / Peer Trust


Hi All,




There seems to be some publicity about hijacking other's IP ranges with
BGP to snoop/sniff/intercept traffic.


Now, of course this is a known thing, and thankfully doesn't happen too
much in Australia, but I've noticed one thing from the flamewar that
starts with the comments at the end of this  article.


It appears that one can rent a server or two, link into peering fabric
at several points in the U.S, and announce just about anyone's range to
intercept traffic then re-broadcast it. 

Effectively placing themselves inside a trusted portion of the network
where no filtering on announcements is done


When the Big G, Google, presented at AUSNOG2 and stated that they were
looking to form unilateral peering and declined to comment on
multilateral peering, and suddenly, after reading this article, it began
to make sense.


Do you trust your PEERS at a multi-lateral peering point? Obviously for
some, the answer is no.


Thankfully here in Aus most players know most other players that are
peering or announcing on WAIX, PIPE, Equinix etc, so it's not such a big
deal with random elements hooking in and sniffing our traffic if they
manage to be able to advertise our IP ranges.


My question / comments / ponderings to the list are really


-What's more trustworthy, a carrier unilateral peering relationship,
unilateral peering, multilateral peering.


If Multilateral peering is shaping up to being such a trust issue, does
anyone have any comment or suggestions on how we can *maintain* the
trust of the current state of peering in Australia so that we are not
affected by this scourge in the future?


I'm just throwing it out there.



Sean K Finn.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20080828/cfcc0706/attachment.html>

More information about the AusNOG mailing list