[194893] in North American Network Operators' Group

home help back first fref pref prev next nref lref last post

Re: IPv4 Hijacking For Idiots

daemon@ATHENA.MIT.EDU (Mark Andrews)
Tue Jun 6 21:15:06 2017

X-Original-To: nanog@nanog.org
To: Christopher Morrow <morrowc.lists@gmail.com>
From: Mark Andrews <marka@isc.org>
In-reply-to: Your message of "Tue, 06 Jun 2017 20:52:44 -0400."
 <CAL9jLaZNRdE0gL4nVn93vhv1BOBtx0EKgJet8pVXa3Mve1Gy_Q@mail.gmail.com>
Date: Wed, 07 Jun 2017 11:13:41 +1000
Cc: nanog list <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org


In message <CAL9jLaZNRdE0gL4nVn93vhv1BOBtx0EKgJet8pVXa3Mve1Gy_Q@mail.gmail.com>, Christopher Morrow writes:
>
> On Tue, Jun 6, 2017 at 8:26 PM, Mark Andrews <marka@isc.org> wrote:
>
> > Now we could continue discussing how easy it is to hijack addresses
> > of we could spend the time addressing the problem.  All it takes is
> > a couple of transit providers to no longer accept word-of-mouth and
> > the world will transition overnight.
>
> i don't think any transit providers were used in the previous thread worth
> of examples/comms...
> I don't know that IXP folk either:
>   1) want to be the police of this
>   2) should actually be the police of this (what is internet abuse? from
> who's perspective? oh...)
>
> The 'solution' here isn't new though... well, one solution anyway:
>   https://tools.ietf.org/html/rfc6810

You missed the point.  We have the mechanisms to prevent hijacking
today.  We just need to use them and stop using the traditional
mechanisms which cannot be mathematically be verified as correct.

Getting to that stage requires several companies to simultaneously
say "we will no longer accept <list> as valid mechanisms to verify
routes announcements.  You need to use X or else we won't accept
the announcement".  Yes, this requires guts to do.

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka@isc.org

home help back first fref pref prev next nref lref last post