[AusNOG] MANRS Project - Fixing the Internet's routing security is urgent and requires collaboration

Mark Smith markzzzsmith at gmail.com
Mon Feb 29 18:47:30 EST 2016


On 29 Feb 2016 6:28 PM, "Jeff Young" <young at jsyoung.net> wrote:
>>
>> From: "Roland Dobbins" <rdobbins at arbor.net>
>> Subject: Re: [AusNOG] MANRS Project - Fixing the Internet's routing
security is urgent and requires collaboration
>> Date: 29 February 2016 4:40:20 pm AEDT
>> To: "ausnog at ausnog.net" <ausnog at lists.ausnog.net>
>>
>>
>> On 29 Feb 2016, at 12:33, Mark Andrews wrote:
>>
>>> So 16 years is not enough time for them to do the right thing?
>>
>>
>> Ignorance and apathy are the key reasons we don't have near-universal
source-address validation.  I'm not apologizing for anyone - you know very
well that I advocate for implementing source-address validation, as you've
seen/heard me talk about it many times before.
>>
>> My point is that we're in the situation we're in, and not in some
idealized situation, and it's important to understand that we can't wave a
magic wand and make this happen overnight.  Access networks are the logical
places to implement source-address validation by default, as they're the
points in the network where it's least likely to cause operational problems
and where the requisite features are available on most major hardware
platforms.
>>
>> -----------------------------------
>> Roland Dobbins <rdobbins at arbor.net>
>>
>
> While it may have taken some time for the equipment to support
source-address-validation, at least from the statistics quoted, the
situation is getting better
> (more providers implementing checks).
>

RPF is basically an automated form of ingress source address ACLs, so
anything that can do those can enforce source address validation - which
would include going back at least as far back as AGS+.

I was working on an enterprise network that had edge source address ACLs in
1998. There really aren't many excuses for not implementing them - even
your switches might be able to do it if your routers can't.

> I wonder what could be said of the number of ISP’s using a registry to
validate their customer’s (not peers) routing announcements?  Ignorance and
apathy
> have played an even larger role in route-hijacks (intentional or
otherwise).  We’ve had the solution forever (validate your customer’s
announcements) but
> it would seem that few ISP’s implement it anymore.
>
> I haven’t yet read the MANRS docs (I will) but it would seem that a
system that ranks the accuracy of routing announcements per ISP based on
their method
> of accepting and propagating updates would be really useful.  If you run
a completely clean system, keep your customers from announcing garbage, you
get
> a good rating and everyone trusts your updates.  If your customers are
prone to announcing portions of the YouTube address space and you blithely
pass it to
> the world, not so much.
>
> All we’d need is a knob to turn based on that measure of accuracy…
Dampening is too big a stick, and to implement it in this way might be
catastrophic, number
> of prefixes to accept over time, smaller stick, maybe less consequences…
 correlation?
>
> If I think your routes are suspect perhaps I don’t accept an announcement
from you until I hear it from someplace else?  or from some ISP I trust?
>
> just a thought (after hearing people complain about route hijacks during
Apricot — took me way back)
>
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20160229/e0da8673/attachment.html>


More information about the AusNOG mailing list