Mike, >As our canned Email stated, AS2 (and many low digit AS') get hijacked and >often go on to hijack someone's prefix. AS2 (proper) is rarely changed and >the chances of an actual prefix hijack from it is extremely low. > >So as I've asked our peers, I'll ask here: What is expected of us to be good >"Net Citizens" with these hijacks?
Thoughts on AS hijack prevention: With RPKI-based route origin validation (ROV), it turns out that incremental solution for prefix hijacking is also an incremental solution for AS hijacking. For example -- assuming Invalid routes will be dropped -- if 70% of the announced prefixes are protected by ROAs, then those 70% prefixes cannot be hijacked with a hijacked AS. (Note: An exception to this is -- a deliberate hijacker can still perform what is called forged-origin hijack [1], i.e., the attacker matches the hijacked prefix with a hijacked AS such that they both belong to the same ROA.) So, the community should keep pushing ahead with ROA and RPKI-based ROV deployments to achieve 100% ROA coverage for announced prefixes and also 100% dropping of Invalid. The above can also be said about “trusted” IRR-based (or IRR+RPKI based) ROV [1]. However, priority should be given to speedup the RPKI/ROA deployment towards full adoption. FYI... Worldwide ROA coverage is currently at 20% for globally routed prefixes. https://rpki-monitor.antd.nist.gov/ Security guidance regarding route objects in IRR, ROAs in RPKI, and ROV deployment can be found here: [1] “Resilient Interdomain Traffic Exchange: BGP Security and DDoS Mitigation,” NIST Special Publication, NIST SP 800-189, December 2019. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-189.pdf Also, look up: [2] MANRS: https://www.manrs.org/ Thank you. Regards, Sriram
