<div dir="ltr"><div dir="ltr">Paul my comments were prompted by this discussion on reddit. The report authors haven't established that all the routing they described was a hijack, they just assume it because it was a longer route.<br><br><a href="https://www.reddit.com/r/netsec/comments/9rlehd/chinese_telecom_performing_bgp_hijacking/">https://www.reddit.com/r/netsec/comments/9rlehd/chinese_telecom_performing_bgp_hijacking/</a><br></div></div><br><div class="gmail_quote"><div dir="ltr">On Wed, 21 Nov 2018 at 18:55, Paul Brooks <<a href="mailto:pbrooks-ausnog@layer10.com.au">pbrooks-ausnog@layer10.com.au</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
  
    
  
  <div text="#000000" bgcolor="#FFFFFF">
    <div class="m_1192298645346911404moz-cite-prefix">On 21/11/2018 5:42 PM, Grahame Lynch
      wrote:<br>
    </div>
    <blockquote type="cite">
      
      <div dir="ltr">How much of this is "hijacking" and how much is
        just "least cost routing"? It is really hard to tell.</div>
    </blockquote>
    Its not 'least cost routing', BGP doesn't work like that, unless the
    target networks really were customers of China Telecom, or
    customers-of-a-customer.<br>
    China Telecom must have started advertising that those networks were
    reachable, and then stopped advertising, for the traffic to be sent
    into their network in the first place.<br>
    <br>
    This can happen by accident/incompetence/error, although that
    usually results in the affected site being blackholed - thats what
    happened with the Telstra BGP hijack of prefixes recently.  In this
    'diversion' case the traffic is being rerouted and eventually
    finding its way back out of the network and forwarded to the
    original destination - that is more difficult to make happen by
    accident.<br>
    <br>
    Its arguably laziness on the part of the other networks that China
    Telecom interconnects BGP with - peers, upstreams, and customers -
    although to be fair the various proposals for validating BGP route
    advertising permissions is not widely deployed and still being
    developed.<br>
    <br>
    Most ISPs filter BGP routing advertisements from customers, but very
    few filter route advertisements from upstreams and peers.<br>
    Securing BGP is a hot topic in recent years, but is taking a long
    long time to get critical mass.<br>
    <br>
    Everyone running BGP-4 should take a look at:<br>
    <ul>
      <li>MANRS (Mutually Agreed Norms for Routing Security -
        <a class="m_1192298645346911404moz-txt-link-freetext" href="https://www.internetsociety.org/issues/manrs" target="_blank">https://www.internetsociety.org/issues/manrs</a>)</li>
      <li>RFC7454 = BCP-194 - BGP Operations and Security -
        <a class="m_1192298645346911404moz-txt-link-freetext" href="https://tools.ietf.org/html/rfc7454" target="_blank">https://tools.ietf.org/html/rfc7454</a></li>
      <li>NIST "Protecting the Integrity of Internet Routing: Border
        Gateway Protocol (BGP) Route Origin Validation",
        <a class="m_1192298645346911404moz-txt-link-freetext" href="https://csrc.nist.gov/publications/detail/sp/1800-14/draft" target="_blank">https://csrc.nist.gov/publications/detail/sp/1800-14/draft</a></li>
    </ul>
    ...and plan to implement RPKI for all your routes.<br>
    <br>
    Paul.<br>
    <br>
    <blockquote type="cite"><br>
      <div class="gmail_quote">
        <div dir="ltr">On Wed, 21 Nov 2018 at 17:38, Christian Heinrich
          <<a href="mailto:christian.heinrich@cmlh.id.au" target="_blank">christian.heinrich@cmlh.id.au</a>>
          wrote:<br>
        </div>
        <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Has anyone
          observed<br>
          <a href="https://www.smh.com.au/technology/how-china-diverts-then-spies-on-australia-s-internet-traffic-20181120-p50h80.html" rel="noreferrer" target="_blank">https://www.smh.com.au/technology/how-china-diverts-then-spies-on-australia-s-internet-traffic-20181120-p50h80.html</a><br>
          or not?<br>
          <br>
          -- <br>
          Regards,<br>
          Christian Heinrich<br>
          <br>
          <a href="http://cmlh.id.au/contact" rel="noreferrer" target="_blank">http://cmlh.id.au/contact</a><br>
          _______________________________________________<br>
          AusNOG mailing list<br>
          <a href="mailto:AusNOG@lists.ausnog.net" target="_blank">AusNOG@lists.ausnog.net</a><br>
          <a href="http://lists.ausnog.net/mailman/listinfo/ausnog" rel="noreferrer" target="_blank">http://lists.ausnog.net/mailman/listinfo/ausnog</a><br>
        </blockquote>
      </div>
      <br>
      <fieldset class="m_1192298645346911404mimeAttachmentHeader"></fieldset>
      <br>
      <pre>_______________________________________________
AusNOG mailing list
<a class="m_1192298645346911404moz-txt-link-abbreviated" href="mailto:AusNOG@lists.ausnog.net" target="_blank">AusNOG@lists.ausnog.net</a>
<a class="m_1192298645346911404moz-txt-link-freetext" href="http://lists.ausnog.net/mailman/listinfo/ausnog" target="_blank">http://lists.ausnog.net/mailman/listinfo/ausnog</a>
</pre>
    </blockquote>
    <p><br>
    </p>
  </div>

_______________________________________________<br>
AusNOG mailing list<br>
<a href="mailto:AusNOG@lists.ausnog.net" target="_blank">AusNOG@lists.ausnog.net</a><br>
<a href="http://lists.ausnog.net/mailman/listinfo/ausnog" rel="noreferrer" target="_blank">http://lists.ausnog.net/mailman/listinfo/ausnog</a><br>
</blockquote></div>