[90633] in North American Network Operators' Group
Re: a fun hijack: 1/8, 2/8, 3/8, 4/8, 5/8, 7/8, 8/8, 12/8 briefly
daemon@ATHENA.MIT.EDU (Jeroen Massar)
Thu Jun 8 05:06:32 2006
From: Jeroen Massar <jeroen@unfix.org>
To: Josh Karlin <karlinjf@cs.unm.edu>
Cc: nanog@nanog.org
In-Reply-To: <71051fe20606071101w5a07aceel7068b34087d07a97@mail.gmail.com>
Date: Thu, 08 Jun 2006 11:05:55 +0200
Errors-To: owner-nanog@merit.edu
--=-14Ay9Zmb7GPOz3JnfIKg
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable
On Wed, 2006-06-07 at 11:01 -0700, Josh Karlin wrote:
> Check out the IAR for "Potential Prefix Hijacks" and if you're coming
> to this more than 24 hours after the post, do a search on AS 23520 as
> the hijacking AS.
>=20
> I don't know how long the routes were announced, but they seem to be
> gone now. Or maybe the IAR is horribly broken, in which case I will
> be lynched :)
You are the broken part, due to the mere simple fact that you accept
those routes. That your uplinks are accepting them also means that you
are not paying them enough so that they don't accept them either.
But in ARIN land you have an excuse, more or less, as there is not a
real 'good' routing database. In RIPE land we at least have route+route6
objects in the RIPE database where one can filter on, but that is only
for RIPE. A sane and complete routing information database would already
considerably help here. RADB is nice but does not help much to make the
info complete. Also anybody can then still announce the prefix with the
correct source ASN and other nasty tricks.
In the end, the complete solution to most of these issues will be in the
form of S-BGP (http://www.ir.bbn.com/sbgp/) and similar solutions.
And the IETF is fortunately working on this:
http://www.ietf.org/html.charters/sidr-charter.html
It might take some time still, but it will come one day and then these
issues are gone.
At the moment you'll just have to trust your peers and try to get them
to implement a sane policy on what kind of announcements they accept or
not.
Greets,
Jeroen
--=-14Ay9Zmb7GPOz3JnfIKg
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
Comment: Jeroen Massar / http://unfix.org/~jeroen/
iHUEABECADUFAkSH6HIuFIAAAAAAFQAQcGthLWFkZHJlc3NAZ251cGcub3JnamVy
b2VuQHVuZml4Lm9yZwAKCRApqihSMz58I+cyAKC25tYs/SNvqn/T2pTNFGVK6NJr
VACgjH5DPXKmkCueI3xvajUsdg4B3/o=
=mu7a
-----END PGP SIGNATURE-----
--=-14Ay9Zmb7GPOz3JnfIKg--
