[members-discuss] Effective countermeasures against BGP hijacking

Hi,

I think that the RPKI/ROA/ROV solution is the right way to go about this.

The fact that it's run by RIPE allows members to trust in the system
provided by the same organisation that provides the IP space; and there's
no additional fees because it's included with membership.

Instead of re-inventing the wheel, I think it would be a better use of time
to push forward ensuring that your networks and all of your upstreams are
implementing RPKI/ROA/ROV.

It's almost like saying the adoption of IPv6 has been awfully slow, so
let's skip to IPv7.



All the best,

Iain


Iain Kay
Consider IT Limited
Superior IT Support

On 1 August 2018 at 14:04, Arash Naderpour <arash_mpc at parsun.com> wrote:

> Hi,
>
>
>
> And how you can detect if an AS is hijacking a prefix? RPKI does not check
> if entire path is correct and the attacker can bypass it by adding the
> origin AS at the end of AS-PATH.
>
> BGPsec is there to address the BGP hijacking, but creating a black-list
> and some policies to list/delist ASNs just making things more complex
>  (starting with who is going to manage the list)
>
>
>
> Regards,
>
>
>
> Arash
>
>
>
> *From:* members-discuss <members-discuss-bounces at ripe.net> *On Behalf Of *Dominic
> Schallert
> *Sent:* Wednesday, 1 August 2018 7:59 PM
> *To:* members-discuss at ripe.net
> *Subject:* [members-discuss] Effective countermeasures against BGP
> hijacking
>
>
>
> Dear colleagues,
>
>
>
> I’m sure some of you have read about this recent incident;
> https://bgpstream.com/event/144058 . Nowadays we’re talking about
> transport security, https-per-default, etc. but the most fundamental parts
> of the internet such as BGP, are basically broken from a security
> perspective. While RPKI/ROA/ROV could fix most of the current
> security-related struggles, their deployment currently competes somewhat
> with IPv6 - or even worse - and therefore won’t be a practical solution in
> the forseeable future. Strict IRRDB and route object filtering is
> complicated (or almost impossible) as well.
>
>
>
> So I’m wondering, why can't we just have an automated blacklist like RBL's
> for mailservers, where all AS'es detected for hijacking prefixes are
> automatically blacklisted, similiar to Team Cymru's fullbogons feed? The
> list combined with some scripting could then be used for realtime AS-path
> filtering at border routers. Delisting of blacklisted ASNs should happen
> only after a pre-defined amount of time (eg. 14 days) or after paying a fee
> to a charity/non-profit and providing a statement on the issue which is
> publicy released. The idea is to hurt those who can’t get their stuff -
> especially prefix filtering - together.
>
>
>
> I still remember the days where everyone complained about RBLs, nowadays
> almost every mailserver setup relies on them. Sometimes extreme problems
> require extrem solutions.
>
>
>
> Mit besten Grüßen
> Kind Regards
>
> Dominic Schallert, BA
>
>
> *schallert.com <http://schallert.com> e.U.* | Hauptstraße 35b, 6800
> Feldkirch, Austria
>
>
>
> FN: 440372g  | UID: ATU66209211 | Gerichtsstand: Feldkirch
>
>
>
> Tel.: +43 680 146 1947 | Fax: +43 134 242 642 616
>
> www.schallert.com  | office at schallert.com
>
>
>
>
>
>
>
>
>
>
>
> <http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient> Virus-free.
> www.avg.com
> <http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient>
> <#m_6346974243371787360_DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>
>
> _______________________________________________
> members-discuss mailing list
> members-discuss at ripe.net
> https://mailman.ripe.net/
> Unsubscribe: https://lists.ripe.net/mailman/options/members-
> discuss/iain.kay%40considerit.co.uk
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.ripe.net/ripe/mail/archives/members-discuss/attachments/20180801/bfdad5f1/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 2753 bytes
Desc: not available
URL: <https://www.ripe.net/ripe/mail/archives/members-discuss/attachments/20180801/bfdad5f1/attachment.png>