[148681] in North American Network Operators' Group
Why not to use RPKI (Was Re: Argus: a hijacking alarm system)
daemon@ATHENA.MIT.EDU (Arturo Servin)
Fri Jan 20 07:09:40 2012
From: Arturo Servin <aservin@lacnic.net>
In-Reply-To: <CA+rW-LBQRuNtm5qOHCn9xe25OnvJdtj+RdcXjPz1Mk-UM+K7bg@mail.gmail.com>
Date: Fri, 20 Jan 2012 10:08:17 -0200
To: Yang Xiang <xiangy08@csnet1.cs.tsinghua.edu.cn>
X-LACNIC.uy-MailScanner-From: aservin@lacnic.net
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
You could use RPKI and origin validation as well.
We have an application that does that.=20
http://www.labs.lacnic.net/rpkitools/looking_glass/
For example you can periodically check if your prefix is valid:
=
http://www.labs.lacnic.net/rpkitools/looking_glass/rest/valid/cidr/200.7.8=
4.0/23/
If it were invalid for a possible hijack it would look like:
=
http://www.labs.lacnic.net/rpkitools/looking_glass/rest/invalid/cidr/200.3=
1.18.0/24/
Or you can just query for any state:
=
http://www.labs.lacnic.net/rpkitools/looking_glass/rest/all/cidr/200.31.12=
.0/22/
Regards,
as
On 20 Jan 2012, at 07:47, Yang Xiang wrote:
> Hi,
>=20
> I build a system =91Argus=92 to real-timely alert prefix hijackings.
> Argus monitors the Internet and discovers anomaly BGP updates which =
caused
> by prefix hijacking.
> When Argus discovers a potential prefix hijacking, it will advertise =
it in
> a very short time,
> both in our website (http://argus.csnet1.cs.tsinghua.edu.cn) and the
> mailing list (argus@csnet1.cs.tsinghua.edu.cn).
>=20
> Argus has been running in the Internet for more than eight months,
> it usually can discover potential prefix hijackings in ten seconds =
after
> the first anomaly BGP update announced.
> Several hijacking alarms have been confirmed by network operators.
> For example: =
http://argus.csnet1.cs.tsinghua.edu.cn/fingerprints/61544/ has
> been confirmed by the network operators of AS23910 and AS4538,
> it was a prefix hijacking caused by a mis-configuration of route =
filter.
>=20
> If you are interest in BGP security, welcome to visit our website and
> subscribe the mailing list.
> If you are interest in the system itself, you can find our paper which
> published in ICNP 2011 (FIST workshop)
> http://ieeexplore.ieee.org/xpl/freeabs_all.jsp?arnumber=3D6089080.
>=20
> Hope Argus will be useful for you.
> _________________________________
> Yang Xiang . about.me/xiangyang
> Ph.D candidate. Tsinghua University
> Argus: argus.csnet1.cs.tsinghua.edu.cn
