This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/[email protected]/
[members-discuss] Effective countermeasures against BGP hijacking
- Previous message (by thread): [members-discuss] Effective countermeasures against BGP hijacking
- Next message (by thread): [members-discuss] Effective countermeasures against BGP hijacking
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
NOC
noc at mega-net.ru
Wed Aug 1 15:02:26 CEST 2018
Hi. Why ? The answer is simple. It will be centralized system and so: - you will need to trust its system engineers - any breaking of this system can cause Internet crash if many AS`es will use it So it is very bad idea on my opinion. What we need that all follow the rules: https://www.routingmanifesto.org/ С наилучшими пожеланиями :: With best regards, Дмитрий Николаев технический директор ООО "Меганет-2003" :: Dmitry Nikolaev CTO "Meganet-2003" LLC On 01.08.2018 12:59, Dominic Schallert wrote: > Dear colleagues, > > I’m sure some of you have read about this recent > incident; https://bgpstream.com/event/144058 . Nowadays we’re talking > about transport security, https-per-default, etc. but the most > fundamental parts of the internet such as BGP, are basically broken > from a security perspective. While RPKI/ROA/ROV could fix most of the > current security-related struggles, their deployment currently > competes somewhat with IPv6 - or even worse - and therefore won’t be a > practical solution in the forseeable future. Strict IRRDB and route > object filtering is complicated (or almost impossible) as well. > > So I’m wondering, why can't we just have an automated blacklist like > RBL's for mailservers, where all AS'es detected for hijacking prefixes > are automatically blacklisted, similiar to Team Cymru's fullbogons > feed? The list combined with some scripting could then be used for > realtime AS-path filtering at border routers. Delisting of blacklisted > ASNs should happen only after a pre-defined amount of time (eg. 14 > days) or after paying a fee to a charity/non-profit and providing a > statement on the issue which is publicy released. The idea is to hurt > those who can’t get their stuff - especially prefix filtering - together. > > I still remember the days where everyone complained about RBLs, > nowadays almost every mailserver setup relies on them. Sometimes > extreme problems require extrem solutions. > > Mit besten Grüßen > Kind Regards > > Dominic Schallert, BA > > > > > *schallert.com e.U.* | Hauptstraße 35b, 6800 Feldkirch, Austria > > FN: 440372g | UID: ATU66209211 | Gerichtsstand: Feldkirch > > Tel.: +43 680 146 1947 | Fax: +43 134 242 642 616 > > www.schallert.com | office at schallert.com > > > > > > > > > _______________________________________________ > members-discuss mailing list > members-discuss at ripe.net > https://mailman.ripe.net/ > Unsubscribe: https://lists.ripe.net/mailman/options/members-discuss/noc%40mega-net.ru -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://www.ripe.net/ripe/mail/archives/members-discuss/attachments/20180801/5723c33f/attachment.html> -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/png Size: 2753 bytes Desc: not available URL: <https://www.ripe.net/ripe/mail/archives/members-discuss/attachments/20180801/5723c33f/attachment.png>
- Previous message (by thread): [members-discuss] Effective countermeasures against BGP hijacking
- Next message (by thread): [members-discuss] Effective countermeasures against BGP hijacking
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]