[AusNOG] MANRS Project - Fixing the Internet's routing security is urgent and requires collaboration

Jeff Young young at jsyoung.net
Mon Feb 29 18:22:19 EST 2016


> From: "Roland Dobbins" <rdobbins at arbor.net <mailto:rdobbins at arbor.net>>
> Subject: Re: [AusNOG] MANRS Project - Fixing the Internet's routing security is urgent and requires collaboration
> Date: 29 February 2016 4:40:20 pm AEDT
> To: "ausnog at ausnog.net <mailto:ausnog at ausnog.net>" <ausnog at lists.ausnog.net <mailto:ausnog at lists.ausnog.net>>
> 
> 
> On 29 Feb 2016, at 12:33, Mark Andrews wrote:
> 
>> So 16 years is not enough time for them to do the right thing?
> 
> Ignorance and apathy are the key reasons we don't have near-universal source-address validation.  I'm not apologizing for anyone - you know very well that I advocate for implementing source-address validation, as you've seen/heard me talk about it many times before.
> 
> My point is that we're in the situation we're in, and not in some idealized situation, and it's important to understand that we can't wave a magic wand and make this happen overnight.  Access networks are the logical places to implement source-address validation by default, as they're the points in the network where it's least likely to cause operational problems and where the requisite features are available on most major hardware platforms.
> 
> -----------------------------------
> Roland Dobbins <rdobbins at arbor.net <mailto:rdobbins at arbor.net>>
> 

While it may have taken some time for the equipment to support source-address-validation, at least from the statistics quoted, the situation is getting better
(more providers implementing checks).

I wonder what could be said of the number of ISP’s using a registry to validate their customer’s (not peers) routing announcements?  Ignorance and apathy
have played an even larger role in route-hijacks (intentional or otherwise).  We’ve had the solution forever (validate your customer’s announcements) but
it would seem that few ISP’s implement it anymore.

I haven’t yet read the MANRS docs (I will) but it would seem that a system that ranks the accuracy of routing announcements per ISP based on their method
of accepting and propagating updates would be really useful.  If you run a completely clean system, keep your customers from announcing garbage, you get
a good rating and everyone trusts your updates.  If your customers are prone to announcing portions of the YouTube address space and you blithely pass it to
the world, not so much.

All we’d need is a knob to turn based on that measure of accuracy… Dampening is too big a stick, and to implement it in this way might be catastrophic, number
of prefixes to accept over time, smaller stick, maybe less consequences…  correlation?

If I think your routes are suspect perhaps I don’t accept an announcement from you until I hear it from someplace else?  or from some ISP I trust?

just a thought (after hearing people complain about route hijacks during Apricot — took me way back)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20160229/51bf5f41/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 496 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20160229/51bf5f41/attachment.sig>


More information about the AusNOG mailing list