<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">Anyone to start an internet secure day
? ;) <br>
Maybe it's a good way to kickstart that change<br>
<br>
Le 01-08-18 à 16:43, Dominic Schallert a écrit :<br>
</div>
<blockquote type="cite" cite="mid:md5:dDA7v3umrFZX10zniHpnmQ==">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
Hi Cedric,
<div class=""><br class="">
<blockquote type="cite" class="">
<div class="">Am 01.08.2018 um 15:45 schrieb Cedric R <<a
href="mailto:ml@servperso.com" class=""
moz-do-not-send="true">ml@servperso.com</a>>:</div>
<br class="Apple-interchange-newline">
<div class="">
<div text="#000000" bgcolor="#FFFFFF" class="">
<div class="moz-cite-prefix">Hello,<br class="">
I think it's not a bad idea but the real solution remain
RPKI.<br class="">
If transit operator like HE or L3 start to reject
INVALID RPKI and some riskly network start to sign theyr
route (and it's pretty simple with RIR tools) we can
clear a part of the problem quickly.<br class="">
I don't talk about reject unsigned route, but only
invalid signed.<br class="">
</div>
</div>
</div>
</blockquote>
<div class=""><br class="">
</div>
I absolutely agree with you. Personally I believe, for making
progress with technology, we will always need some innovators
and big players which are able and willing to create a certain
amount of pressure on the market. If the big transit providers
or networks like Google, Amazon, etc. would agree about a
certain date after which they will reject all invalid RPKI, I
guess we would see some spike in RPKI adoption VERY quickly.
Similiar thing just happening with HTTPS/TLS and their flagging
of <a class="moz-txt-link-freetext" href="http://">http://</a> as insecure in their latest Chrome builds. Same story
around three years ago with Google's call for mobile-first and
responsiveness. Concerning BGP, unfortunately I do not expect
the any of the big ones to take this step anywhere soon, as it
would also dramatically impact their own availability and
revenue. So what other options do we have then?</div>
<div class=""><br class="">
</div>
<div class=""><br class="">
<blockquote type="cite" class="">
<div class="">
<div text="#000000" bgcolor="#FFFFFF" class="">
<div class="moz-cite-prefix">Also AS blacklisting can be
quickly spoofed. <br class="">
What append if someone use hijacked ASN behind it's
legit ASN to announce hijacked prefix (not every filters
drop that). <br class="">
</div>
</div>
</div>
</blockquote>
<div class=""><br class="">
</div>
<div class="">To be honest, that’s an issue I haven't thought
about yet but you are absolutely right. </div>
<div class="">The only feasible solution here would be strict
IRRDB filtering on autnum/as-set.</div>
<div class=""><br class="">
</div>
</div>
<div class="">Best Regards</div>
<div class="">Dominic</div>
<div class=""><br class="">
</div>
<div class=""><br class="">
</div>
<div>
<blockquote type="cite" class="">
<div class="">
<div text="#000000" bgcolor="#FFFFFF" class="">
<div class="moz-cite-prefix"> Best Regards<br class="">
Cedric Rossius<br class="">
<br class="">
Le 01-08-18 à 11:59, Dominic Schallert a écrit :<br
class="">
</div>
<blockquote type="cite"
cite="mid:md5:fU2zcPHasjRJ0mOK45HEUQ==" class="">
<meta http-equiv="Content-Type" content="text/html;
charset=utf-8" class="">
Dear colleagues,
<div class=""><br class="">
</div>
<div class="">I’m sure some of you have read about this
recent incident; <a
href="https://bgpstream.com/event/144058" class=""
moz-do-not-send="true">https://bgpstream.com/event/144058</a> .
Nowadays we’re talking about transport security,
https-per-default, etc. but the most fundamental parts
of the internet such as BGP, are basically broken from
a security perspective. While RPKI/ROA/ROV could fix
most of the current security-related struggles, their
deployment currently competes somewhat with IPv6 - or
even worse - and therefore won’t be a practical
solution in the forseeable future. Strict IRRDB and
route object filtering is complicated (or almost
impossible) as well.</div>
<div class=""><br class="">
</div>
<div class="">So I’m wondering, why can't we just have
an automated blacklist like RBL's for mailservers,
where all AS'es detected for hijacking prefixes are
automatically blacklisted, similiar to Team Cymru's
fullbogons feed? The list combined with some scripting
could then be used for realtime AS-path filtering at
border routers. Delisting of blacklisted ASNs should
happen only after a pre-defined amount of time (eg. 14
days) or after paying a fee to a charity/non-profit
and providing a statement on the issue which is
publicy released. The idea is to hurt those who can’t
get their stuff - especially prefix filtering -
together.</div>
<div class=""><br class="">
</div>
<div class="">I still remember the days where everyone
complained about RBLs, nowadays almost every
mailserver setup relies on them. Sometimes extreme
problems require extrem solutions.</div>
<div class=""><br class="">
</div>
<div class="">
<div class="">
<p style="caret-color: rgb(0, 0, 0); font-family:
Helvetica; font-size: 12px; font-style: normal;
font-variant-caps: normal; font-weight: normal;
letter-spacing: normal; text-align: start;
text-indent: 0px; text-transform: none;
white-space: normal; word-spacing: 0px;
-webkit-text-stroke-width: 0px; text-decoration:
none;" class="">Mit besten Grüßen<br class="">
Kind Regards</p>
<p style="caret-color: rgb(0, 0, 0); font-family:
Helvetica; font-size: 12px; font-style: normal;
font-variant-caps: normal; font-weight: normal;
letter-spacing: normal; text-align: start;
text-indent: 0px; text-transform: none;
white-space: normal; word-spacing: 0px;
-webkit-text-stroke-width: 0px; text-decoration:
none;" class="">Dominic Schallert, BA</p>
<span style="caret-color: rgb(0, 0, 0); font-family:
Helvetica; font-size: 12px; font-style: normal;
font-variant-caps: normal; font-weight: normal;
letter-spacing: normal; text-align: start;
text-indent: 0px; text-transform: none;
white-space: normal; word-spacing: 0px;
-webkit-text-stroke-width: 0px; text-decoration:
none;" class=""><span style="font-family:
Helvetica; font-size: 12px; font-style: normal;
font-variant-caps: normal; letter-spacing:
normal; text-align: start; text-indent: 0px;
text-transform: none; white-space: normal;
word-spacing: 0px; -webkit-text-stroke-width:
0px;" class=""><span class=""><span class=""><span
style="font-family: Helvetica; font-size:
12px; font-style: normal;
font-variant-caps: normal; font-weight:
normal; letter-spacing: normal;
text-align: start; text-indent: 0px;
text-transform: none; white-space: normal;
word-spacing: 0px;
-webkit-text-stroke-width: 0px;" class=""><span
class=""><span class=""><span class=""><span
class=""><span class=""><span
style="font-family: Helvetica;
font-size: 12px; font-style:
normal; font-variant-caps:
normal; font-weight: normal;
letter-spacing: normal;
text-align: start;
text-indent: 0px;
text-transform: none;
white-space: normal;
word-spacing: 0px;
-webkit-text-stroke-width:
0px;" class=""><span class=""><span
class=""><span class=""><span
class=""><span
class=""><span
class=""><span
class=""><br
class="Apple-interchange-newline">
<span class=""><span
id="cid:part2.844DADD0.FB32C61B@servperso.com"><logo_email.png></span></span><span
style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size:
12px;
font-style:
normal;
font-variant-caps:
normal;
font-weight:
normal;
letter-spacing:
normal;
text-align:
start;
text-indent:
0px;
text-transform:
none;
white-space:
normal;
word-spacing:
0px;
-webkit-text-stroke-width:
0px;
text-decoration:
none;"
class=""><span
style="font-family: Helvetica; font-size: 12px; font-style: normal;
font-variant-caps:
normal;
letter-spacing:
normal;
text-align:
start;
text-indent:
0px;
text-transform:
none;
white-space:
normal;
word-spacing:
0px;
-webkit-text-stroke-width:
0px;" class=""><span
class=""><span
class=""><span
style="font-family: Helvetica; font-size: 12px; font-style: normal;
font-variant-caps:
normal;
font-weight:
normal;
letter-spacing:
normal;
text-align:
start;
text-indent:
0px;
text-transform:
none;
white-space:
normal;
word-spacing:
0px;
-webkit-text-stroke-width:
0px;" class=""><span
class=""><span
class=""><span
class="">
<table
border-spacing="0"
style="letter-spacing: normal; text-indent: 0px; text-transform: none;
word-spacing:
0px;
-webkit-text-stroke-width:
0px; padding:
0px; margin:
0px;
font-family:
"Lucida
Grande",
sans-serif;
font-size:
10px;
line-height:
10px; color:
rgb(176, 176,
176);
border-collapse:
collapse;"
class=""
cellspacing="0"
cellpadding="0">
<tbody
class="">
<tr class="">
<td
style="height:
5px;
font-size:
5px;
line-height:
5px;" class=""
height="5"><br
class="Apple-interchange-newline">
<br class="">
</td>
</tr>
<tr class="">
<td class=""><span
class=""><span
style="color:
rgb(176, 176,
176); border:
none;
text-decoration:
none;"
class=""><b
class="">schallert.com
e.U.</b></span> | </span><span
class="">Hauptstraße
35b, 6800
Feldkirch,
Austria</span></td>
</tr>
<tr class="">
<td
style="height:
5px;
font-size:
5px;
line-height:
5px;" class=""
height="5"> </td>
</tr>
<tr class="">
<td class=""><span
class="">FN:
440372g</span><span
class="Apple-converted-space"> </span> | UID: <span class="">ATU66209211 </span>| <span
class="">Gerichtsstand:
Feldkirch</span></td>
</tr>
<tr class="">
<td
style="height:
5px;
font-size:
5px;
line-height:
5px;" class=""
height="5"> </td>
</tr>
<tr class="">
<td class=""><span
class="">Tel.:
+43 680 146
1947 | </span><span
class="">Fax:
+43 134 242
642 616</span></td>
</tr>
<tr class="">
<td
style="height:
10px;
font-size:
10px;
line-height:
10px;"
class=""
height="15"><br
class="">
</td>
</tr>
<tr class="">
<td class=""><span
class=""><a
href="http://www.schallert.com/"
style="color:
rgb(176, 176,
176); border:
none;
text-decoration:
none;"
class=""
moz-do-not-send="true">www.schallert.com</a></span><span
class="Apple-converted-space"> </span> | <span class=""><a
href="mailto:office@schallert.com"
style="color:
rgb(176, 176,
176); border:
none;
text-decoration:
none;"
class=""
moz-do-not-send="true">office@schallert.com</a></span></td>
</tr>
</tbody>
</table>
<br class="">
</span></span></span></span></span></span></span></span>
<div
style="caret-color:
rgb(0, 0, 0);
font-family:
Helvetica;
font-size:
12px;
font-style:
normal;
font-variant-caps:
normal;
font-weight:
normal;
letter-spacing:
normal;
text-align:
start;
text-indent:
0px;
text-transform:
none;
white-space:
normal;
word-spacing:
0px;
-webkit-text-stroke-width:
0px;
text-decoration:
none;"
class=""><span
style="font-family: Helvetica; font-size: 12px; font-style: normal;
font-variant-caps:
normal;
letter-spacing:
normal;
text-align:
start;
text-indent:
0px;
text-transform:
none;
white-space:
normal;
word-spacing:
0px;
-webkit-text-stroke-width:
0px;" class=""><span
style="font-family: Helvetica; font-size: 12px; font-style: normal;
font-variant-caps:
normal;
letter-spacing:
normal;
text-align:
start;
text-indent:
0px;
text-transform:
none;
white-space:
normal;
word-spacing:
0px;
-webkit-text-stroke-width:
0px;" class=""><span
class=""><span
class=""><span
style="font-family: Helvetica; font-size: 12px; font-style: normal;
font-variant-caps:
normal;
font-weight:
normal;
letter-spacing:
normal;
text-align:
start;
text-indent:
0px;
text-transform:
none;
white-space:
normal;
word-spacing:
0px;
-webkit-text-stroke-width:
0px;" class=""><span
class=""><span
class=""><span
class=""><br
class="">
</span></span></span></span></span></span></span></span></div>
<br
class="Apple-interchange-newline"
style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size:
12px;
font-style:
normal;
font-variant-caps:
normal;
font-weight:
normal;
letter-spacing:
normal;
text-align:
start;
text-indent:
0px;
text-transform:
none;
white-space:
normal;
word-spacing:
0px;
-webkit-text-stroke-width:
0px;
text-decoration:
none;">
<br
class="Apple-interchange-newline"
style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size:
12px;
font-style:
normal;
font-variant-caps:
normal;
font-weight:
normal;
letter-spacing:
normal;
text-align:
start;
text-indent:
0px;
text-transform:
none;
white-space:
normal;
word-spacing:
0px;
-webkit-text-stroke-width:
0px;
text-decoration:
none;">
</span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></div>
<br class="">
</div>
<br class="">
<fieldset class="mimeAttachmentHeader"></fieldset>
<br class="">
<pre class="" wrap="">_______________________________________________
members-discuss mailing list
<a class="moz-txt-link-abbreviated" href="mailto:members-discuss@ripe.net" moz-do-not-send="true">members-discuss@ripe.net</a>
<a class="moz-txt-link-freetext" href="https://mailman.ripe.net/" moz-do-not-send="true">https://mailman.ripe.net/</a>
Unsubscribe: <a class="moz-txt-link-freetext" href="https://lists.ripe.net/mailman/options/members-discuss/ml%40servperso.com" moz-do-not-send="true">https://lists.ripe.net/mailman/options/members-discuss/ml%40servperso.com</a>
</pre>
</blockquote>
<p class=""><br class="">
</p>
</div>
</div>
</blockquote>
</div>
<br class="">
</blockquote>
<p><br>
</p>
</body>
</html>