[174248] in North American Network Operators' Group
Re: Prefix hijacking, how to prevent and fix currently
daemon@ATHENA.MIT.EDU (Saku Ytti)
Tue Sep 2 02:36:54 2014
X-Original-To: nanog@nanog.org
Date: Tue, 2 Sep 2014 09:36:40 +0300
From: Saku Ytti <saku@ytti.fi>
To: "nanog@nanog.org" <nanog@nanog.org>
In-Reply-To: <1a936788ac1741a89e0cc1a2222a2c8d@BN1PR09MB0274.namprd09.prod.outlook.com>
Errors-To: nanog-bounces@nanog.org
On (2014-09-01 21:34 +0000), Sriram, Kotikalapudi wrote:
Hi Sriram,
Please help me understand the argument.
> Some Org. D can maliciously announce a subprefix under Org. C's prefix,
> and get away with it due to the 'Loose' mode.
So C is advertising valid 192.0.2.0/24
Is D advertising valid 192.0.2.0/23?
This is unfixable problem? If D is advertising invalid or unknown, C would
still work and win, as longest prefix match is done first to the 'valid'
population, if search is found, other populations are not searched.
> I think, 'Loose mode', if used at all, should not be used beyond a short grace period.
We need to be pragmatic and ready to compromise. Right now deploying RPKI puts
you in competitive disadvantage, loose mode would remove the business risk and
make it easier to justify deployment.
--
++ytti
