This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/[email protected]/
[mat-wg] comment on Thu presentation on Measuring Routing Insecurity
- Next message (by thread): [mat-wg] comment on Thu presentation on Measuring Routing Insecurity
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Sandra Murphy
sandy at tislabs.com
Fri May 18 17:43:32 CEST 2018
I am curious about Andrei’s presentation ("Measuring Routing Insecurity”):
How is an incident known? What do you use as the start of an incident, especially if you are going to try to measure mediation time?
Many hijacks mentioned on the nanog list bring responses from operators who had their own incidents to report that would otherwise have not been reported. So clearly not all are reported.
Incidents mentioned on the nanog list sometimes lead to discovery of related hijacks by the same ISP.
Many hijacks mentioned on the nanog list are discovered to have been going on for quite some time, like days.
ISPs that have been propagating a hijack for days may not have been alerted that a hijack has occurred.
Sometimes the message on nanog notes that the ISP has been contacted but has not responded.
Are you going to do your own discovery of hijacks? Based on what?
Is the start of the hijack the start of the incident? the report on nanog? the contact to the ISP?
Randy’s comment about active measurement gets at the same questions. It is much easier to know an incident has occurred and when it started if you are in control of the incident.
—Sandy
- Next message (by thread): [mat-wg] comment on Thu presentation on Measuring Routing Insecurity
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
[ mat-wg Archives ]