At 05:31 AM 25-02-08 +, Steven M. Bellovin wrote:
Seriously -- a number of us have been warning that this could happen.
More precisely, we've been warning that this could happen *again*; we
all know about many older incidents, from the barely noticed to the very
noisy. (AS 7007, anyone?)
On Mon, 25 Feb 2008 01:49:51 -0500 (EST)
Sean Donelan <[EMAIL PROTECTED]> wrote:
>
> On Mon, 25 Feb 2008, Steven M. Bellovin wrote:
> > How about state-of-the-art routing security?
>
> The problem is what is the actual trust model?
>
> Are you trusting some authority to not be malicious or nev
On Feb 25, 2008, at 2:27 AM, Hank Nussbacher wrote:
At 07:15 PM 24-02-08 -0500, Randy Epstein wrote:
More importantly, why is PCCW not prefix filtering their downstreams?
Why?
- Lack of clue
- Couldn't care less
- No revenue
Take your pick - or add your own reason. PCCW is not alone. The
On Feb 25, 2008, at 2:32 AM, Hank Nussbacher wrote:
At 05:31 AM 25-02-08 +, Steven M. Bellovin wrote:
Seriously -- a number of us have been warning that this could happen.
More precisely, we've been warning that this could happen *again*; we
all know about many older incidents, from the ba
On Sun, 24 Feb 2008, Sargun Dhillon wrote:
> I don't know how large Pakistani Telecom is, but it I bet its not large
> enough that PCCW should be allowing it to advertise anything.
I think you're failing to take into account how multihoming generally
works. The real fallacy here is that PCCW/BTN
having built an ISP or two in pakistan, PTCL (Pakistan Telecom) is not the
sole provider of bandwidth to the country, although it likely carries the
bulk of traffic to the country.
operationally, there are a number of jurisdictions which filter content
and connectivity on a variety of basis.
ad
Interesting that (according to Renesys) BT reconnected about 500 networks in
Pakistan after the big fibre cut. I wonder if there's any data around that
would tell us who filters and who doesn't?
On Mon, Feb 25, 2008 at 9:02 AM, Jim Mercer <[EMAIL PROTECTED]> wrote:
>
>
> having built an ISP or tw
On Mon, Feb 25, 2008 at 09:13:23AM +, Alexander Harrowell wrote:
> Interesting that (according to Renesys) BT reconnected about 500 networks in
> Pakistan after the big fibre cut. I wonder if there's any data around that
> would tell us who filters and who doesn't?
based on my experience of r
"Patrick W. Gilmore" <[EMAIL PROTECTED]> wrote
> On Feb 25, 2008, at 2:27 AM, Hank Nussbacher wrote:
> > At 07:15 PM 24-02-08 -0500, Randy Epstein wrote:
> >
> >> More importantly, why is PCCW not prefix filtering their downstreams?
> >
> > Why?
> >
> > - Lack of clue
> > - Couldn't care less
> >
On 25 feb 2008, at 9:14, Paul Wall wrote:
I don't know how large Pakistani Telecom is, but it I bet its not
large
enough that PCCW should be allowing it to advertise anything.
I think you're failing to take into account how multihoming generally
works. The real fallacy here is that PCCW/B
As a follow up to the presentations introducing the peering survey at
NANOG and APRICOT, we'd like to announce it to the NANOG mailing list in
order to get as many people as possible to participate.
What is it?
- New survey on how people configure peering!
- Featuring technical questions on what
> This candidate list of requirements is for route sources that
> North American Operators should trust to propagate long
> prefix routes, nothing more, nothing less.
All operators already have some kind of criteria which they use
to decide whether or not to trust a particular source of route
[EMAIL PROTECTED] wrote:
[..]
Pushing this task off to a server that does not have packet-forwarding
duties also allows for flexible interfaces to network management
systems including the possibility of asking for human confirmation
before announcing a new route.
There is no (direct) requiremen
> Right. Everyone makes mistakes, but not everyone is malicious.And
> the RIRs and the big ISPs are *generally* more clueful than
> the little guys and the newcomers. Note also that secured
> BGP limits the kinds of mistakes people can make. If I have
> a certificate from my RIR for 192
On Mon, Feb 25, 2008 at 10:12:47AM -, [EMAIL PROTECTED] wrote:
> In case you hadn't noticed, there is no North American law enforcement
> agency and no North American courts and no North American laws outside
> of NAFTA. So I'm not sure what you are getting at here. Do you want
> to reopen NAF
> the laws of Canada, Mexico and the US are still largely
> seperate, and the laws of one do not necessarily follow in another.
Not to mention other North American countries such as France(1),
Bermuda, Cuba, Haiti, etc., etc.
--Michael Dillon
(1) The islands of St. Pierre and Miquelon, Martini
On Sun, Feb 24, 2008 at 10:49 PM, Sean Donelan <[EMAIL PROTECTED]> wrote:
>
> On Mon, 25 Feb 2008, Steven M. Bellovin wrote:
> > How about state-of-the-art routing security?
>
> The problem is what is the actual trust model?
>
> Are you trusting some authority to not be malicious or never make
At 06:17 PM 25-02-08 +0900, Matsuzaki Yoshinobu wrote:
> All good, er, bad reasons. Fixing the "filter your downstreams"
> problem is very important. It would also solve 90-something percent
> of the problems mentioned in this thread. E.g. as7007. :)
I am in the APRICOT meeting in Taipei n
At 03:14 AM 25-02-08 -0500, Paul Wall wrote:
Results were planned to be presented at the next NANOG, but they
shouldn't be a surprise to anyone in the industry: nobody filters.
Incorrect. Some do filter and do it well. Problem is that it is in
general a minority - many of which can be foun
Changed the subject line a little...
On Mon, 25 Feb 2008, Hank Nussbacher wrote:
At 03:14 AM 25-02-08 -0500, Paul Wall wrote:
Results were planned to be presented at the next NANOG, but they
shouldn't be a surprise to anyone in the industry: nobody filters.
Incorrect. Some do filter and do
On Mon, 25 Feb 2008, Hank Nussbacher wrote:
For us who actually have customers we care about, we probably find it
better for business to try to make sure our own customers can't announce
prefixes they don't own, but accept basically anything from the world that
isn't ours.
You are a distinc
Christopher Morrow wrote:
On Sun, Feb 24, 2008 at 8:42 PM, Patrick W. Gilmore <[EMAIL PROTECTED]> wrote:
except that even the 'good guys' make mistakes. Belt + suspenders
please... is it really that hard for a network service provider to
have a prefix-list on their customer bgp sessions?? L3 doe
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
> Behalf Of Steven M. Bellovin
> How about state-of-the-art routing security?
>
> Seriously -- a number of us have been warning that this could happen.
> More precisely, we've been warning that this could happ
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Greetings,
Late last night, after poring through our data, I posted a detailed
chronology of the hijack as seen from our many peering sessions. I
would add to this that the speed of YouTube's response to this
subprefix hijack impressed me.
As di
y'all,
On Mon, Feb 25, 2008 at 06:49:35AM -0800, Barry Greene (bgreene) wrote:
> > Seriously -- a number of us have been warning that this could happen.
> > More precisely, we've been warning that this could happen
> > *again*; we all know about many older incidents, from the
> > barely notice
Le 25 févr. 08 à 02:42, Patrick W. Gilmore a écrit :
On Feb 24, 2008, at 7:36 PM, Tomas L. Byrnes wrote:
1: Hosted at a Tier 1 provider.
That is a silly requirement.
(I am sorry, I tried hard to find a nicer way to say this, but I
really feel strongly about this.)
2: Within a jurisd
>If someone comes up with the anti-mistake routing protocol ...
We could try to invent more idiot proof protocols, but the more
control (and centralization), the more it will be "a kind of
Internet". Not sure the founding principles and factors that made the
Internet successful would resist
On Mon, Feb 25, 2008 at 09:28:47AM -0500, Jon Lewis wrote:
> I've only dealt with a handful of the bigger networks, but every transit
> BGP session I've ever been the customer role on has been filtered by the
> provider. From memory and in no particular order, that's UUNet, Level3,
> Digex, In
> I've only dealt with a handful of the bigger networks, but every transit
> BGP session I've ever been the customer role on has been filtered by the
> provider. From memory and in no particular order, that's UUNet, Level3,
> Digex, Intermedia, Global Crossing, Genuity, Sprint, Above.net, Time
DO NOT sign up at that site until the site admin fixes a major issue - I
thought it looked interesting but now I'm in an embarrassing situation.
I signed up like anyone would do and the moment I validated my email
address, postings started to showup under my account that are weeks old
- these pos
The Site admin got back to me right away I jumped the gun slightly..
Anyways, a spammer had signed into that site previously with the same
username and posted lots of crap - when I signed up, those posts came
back online hence my panic
Should be fine now - interesting site ;)
Paul
---
This is a very interesting site. However, I notice that, in the "all in
the last 24 hours" it doesn't show the YouTube hijack. It does have a
lot of entries for 17557, most recently on 2/17.
How reliable is this system?
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PRO
Tomas:
It's primarily a proof of concept site, to show that such an idea would be
useful, but it has been running for over a year now and discovered many
interesting hijacks (such as eBay/google/etc..).
You're right that there is a glaring ommission, which is yesterday's youtube
hijack. This is
On Feb 25, 2008, at 6:08 AM, Pekka Savola wrote:
In a lot of this dialogue, many say, "you should prefix filter".
However, I'm not seeing how an ISP could easily adopt such filtering.
So, this is no excuse for not doing prefix filtering if you only do
business in the RIPE region, but anyw
On Mon, 25 Feb 2008, Danny McPherson wrote:
(Yeah, we prefix filter all our customers. Our IPv6 peers are also prefix
filtered, based on RIPE IRR data (with one exception). IPv4 peers'
advertisements seem to be too big a mess, and too long filters, to fix this
way.)
Do you explicitly filte
A bit of administrativia:
This thread generated over a hundred posts, many without operational
relevance or by people who do not understand how operators, well, operate,
or by people who really don't have any idea what's going on but feel like
posting.
I'd like to briefly summarize the impor
On Feb 25, 2008, at 12:51 PM, Alex Pilosov wrote:
** Nobody brought up the important point - the BGP announcement
filtering
are only as secure as the weakest link. No [few?] peers or transits
are
filtering "large" ISPs (ones announcing few hundred routes and up).
There
are a great many of
On Mon, 25 Feb 2008, Danny McPherson wrote:
> > ** Paul Wall brought up the fact that even obviously bogus routes (1/8
> > and 100/7) were accepted by 99% of internet during an experiment.
>
> I'm not sure why this would surprise anyone.
To me and you, it's not surprising. To public, it might be
> Our own or our singlehomed customers' address space -- we would reject
> such an advertisement. The same inbound consistency check applies to
> peers and upstreams/transits.
>
> If it's someone else's or a more specific or the same prefix as our
> multihomed customers -- we accept it. The
On Feb 25, 2008, at 1:22 PM, Alex Pilosov wrote:
Well, in this case, they *aren't* filtering! (unless I am
misunderstanding
what you are saying, due to repeated use of 'their').
What I'm saying is that best case today ISPs police routes
advertised by their customers, yet they accept routes
I'd hear to see who does it, and get them to present the "operational
lessons" at the next nanog!
On second thought, I guess one thing has changed considerably
since 15 years ago. Rather than ~5000 monkeys with keyboard
access to manipulate global routing tables, there are likely well
North o
On Mon, 25 Feb 2008 15:29:01 EST, Randy Epstein said:
> > Our own or our singlehomed customers' address space -- we would reject
^^^
> > such an advertisement. The same inbound consistency check applies to
> > peers and upstreams/transits.
> What do you do when one of y
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
> There have been two or three panels on this exact topic in
> the past, you can find them in the index of talks.
> Unfortunately, the problem hasn't changed at all. Perhaps we
> could just replay those video streams :-)
My $.02 - http://www
>Is there some way of deploying a solution like Secure BGP without
>actually requiring that it go into the routers?
The IETF SIDR wg (shameless plug as I'm wg co-chair) is working on
a way to say with strong assurance who holds what prefixes, and
therefore who can authorize the origination of wha
Valdis wrote:
> He explicitly said "single-homed". Of course, multi-homed requires
> different handling, because you may hear their other home announce them
> (although again, you probably shouldn't listen to *THAT* announcement
> either if *your* link to them is up). And I posit that if you do
On Mon, Feb 25, 2008, Alex Pilosov wrote:
>
> A bit of administrativia:
>
> This thread generated over a hundred posts, many without operational
> relevance or by people who do not understand how operators, well, operate,
> or by people who really don't have any idea what's going on but feel l
On Mon, Feb 25, 2008 at 2:32 AM, Hank Nussbacher <[EMAIL PROTECTED]> wrote:
> "we've been warning that this could happen *again*" - this is happening
> every day - just look to:
> http://cs.unm.edu/~karlinjf/IAR/prefix.php?filter=most
> http://cs.unm.edu/~karlinjf/IAR/subprefix.php?filter=mos
47 matches
Mail list logo
