Bill said, > > Is this seen as route table pollution, or a necessary evil in today's > world? > > Pollution. And it won't save you from a hijack either, since your > adversary's /24 routes will compete and win for at least part of the > Internet. >
I agree, of course, that moving to announce every /24 would pollute the net. Note that if you use ROAs, you'll also have to make corresponding /24 ROAs, and I don't know if this won't have problematic impact also on the RPKI infrastructure. Not good. But: - assuming the /24 will have proper ROA, and ROV is reasonably deployed, this _would_ protect most of the traffic sent to the /24 from a hijacker announcing /24 (and even more if hijack is of shorter prefix, of course). - As long as ROV isn't _very_ widely deployed, it would often fail to protect against the hijack without such measure (competing /24), so this will remain necessary (if you wish to prevent hijack). We've done some relevant simulations, as well as proposed a simple extension to ROV, called ROV++, which protects against such sub-prefix hijacks without requiring competing /24 announcement, and effective already with modest adoption (of ROV++) by BGP routers. (Should also be assisted by mixed ROV / ROV++ adoption but we didn't do these simulations yet.) See at: https://www.ndss-symposium.org/ndss-paper/rov-improved-deployable-defense-against-bgp-hijacking/ tl; dr : ROV++ routers would blackhole subprefix traffic rather than send it on a route which would be hijacked (i.e., if the route is to a neighbor AS that announced legit prefix _and_ hijacked subprefix). Simple. [and no, I'm not happy with the resulting disconnections. but it's better than hijack imho] best, Amir -- Amir Herzberg Comcast professor of Security Innovations, Computer Science and Engineering, University of Connecticut Homepage: https://sites.google.com/site/amirherzberg/home `Applied Introduction to Cryptography' textbook and lectures: https://sites.google.com/site/amirherzberg/applied-crypto-textbook <https://sites.google.com/site/amirherzberg/applied-crypto-textbook> On Mon, Aug 9, 2021 at 12:10 PM William Herrin <b...@herrin.us> wrote: > On Mon, Aug 9, 2021 at 8:48 AM Billy Croan <bcr...@unrealservers.net> > wrote: > > How does the community feel about using /24 originations in BGP as a > > tactical advantage against potential bgp hijackers? > > How many routers out there today would be affected if everyone did this? > > Hi Billy, > > I did some math on this years ago and it worked out to about 8.5 > million IPv4 routes. That's 10 times the current table size, more than > any big-iron router can handle today. If everybody did it, it'd crash > the Internet. > > > Is this seen as route table pollution, or a necessary evil in today's > world? > > Pollution. And it won't save you from a hijack either, since your > adversary's /24 routes will compete and win for at least part of the > Internet. > > > Are there any big networks that drop or penalize announcements like this? > > Not in an automated way. Which is bad news for you if you do this > because it means getting folks to -undo- the restrictions they > manually enforce on your specific address space is nearly impossible. > > Regards, > Bill Herrin > > -- > William Herrin > b...@herrin.us > https://bill.herrin.us/ >
