[members-discuss] Effective countermeasures against BGP hijacking
- Previous message (by thread): [members-discuss] Effective countermeasures against BGP hijacking
- Next message (by thread): [members-discuss] Effective countermeasures against BGP hijacking
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
NOC
noc at mega-net.ru
Wed Aug 1 15:02:26 CEST 2018
Hi. Why ? The answer is simple. It will be centralized system and so: - you will need to trust its system engineers - any breaking of this system can cause Internet crash if many AS`es will use it So it is very bad idea on my opinion. What we need that all follow the rules: https://www.routingmanifesto.org/ С наилучшими пожеланиями :: With best regards, Дмитрий Николаев технический директор ООО "Меганет-2003" :: Dmitry Nikolaev CTO "Meganet-2003" LLC On 01.08.2018 12:59, Dominic Schallert wrote: > Dear colleagues, > > I’m sure some of you have read about this recent > incident; https://bgpstream.com/event/144058 . Nowadays we’re talking > about transport security, https-per-default, etc. but the most > fundamental parts of the internet such as BGP, are basically broken > from a security perspective. While RPKI/ROA/ROV could fix most of the > current security-related struggles, their deployment currently > competes somewhat with IPv6 - or even worse - and therefore won’t be a > practical solution in the forseeable future. Strict IRRDB and route > object filtering is complicated (or almost impossible) as well. > > So I’m wondering, why can't we just have an automated blacklist like > RBL's for mailservers, where all AS'es detected for hijacking prefixes > are automatically blacklisted, similiar to Team Cymru's fullbogons > feed? The list combined with some scripting could then be used for > realtime AS-path filtering at border routers. Delisting of blacklisted > ASNs should happen only after a pre-defined amount of time (eg. 14 > days) or after paying a fee to a charity/non-profit and providing a > statement on the issue which is publicy released. The idea is to hurt > those who can’t get their stuff - especially prefix filtering - together. > > I still remember the days where everyone complained about RBLs, > nowadays almost every mailserver setup relies on them. Sometimes > extreme problems require extrem solutions. > > Mit besten Grüßen > Kind Regards > > Dominic Schallert, BA > > > > > *schallert.com e.U.* | Hauptstraße 35b, 6800 Feldkirch, Austria > > FN: 440372g | UID: ATU66209211 | Gerichtsstand: Feldkirch > > Tel.: +43 680 146 1947 | Fax: +43 134 242 642 616 > > www.schallert.com | office at schallert.com > > > > > > > > > _______________________________________________ > members-discuss mailing list > members-discuss at ripe.net > https://lists.ripe.net/mailman/listinfo/members-discuss > Unsubscribe: https://lists.ripe.net/mailman/options/members-discuss/noc%40mega-net.ru -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://lists.ripe.net/ripe/mail/archives/members-discuss/attachments/20180801/5723c33f/attachment.html> -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/png Size: 2753 bytes Desc: not available URL: <https://lists.ripe.net/ripe/mail/archives/members-discuss/attachments/20180801/5723c33f/attachment.png>
- Previous message (by thread): [members-discuss] Effective countermeasures against BGP hijacking
- Next message (by thread): [members-discuss] Effective countermeasures against BGP hijacking
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]