Hi all I would like to ask you about what is the possibility of prefix hijacking by ISP after implementing the last RIPE's prefix advertisement procedures Is their an official documents regard that? Best regards
Hi all, in short: yes, it was and is possible ;) At least for temporary. 18.02.11 17:10, Amer написав(ла):
Hi all I would like to ask you about what is the possibility of prefix hijacking by ISP after implementing the last RIPE's prefix advertisement procedures Is their an official documents regard that?
Best regards
-- WBR, Max Tulyev (MT6561-RIPE, 2:463/253@FIDO)
Hi Amer, In order to help mitigate route hijacking issues, it is considered good practice to register your announcements as route objects in an Internet Routing Registry such as the RIPE Database. This allows other to base routing decisions on them, using filters. A new alternative is the RIPE NCC Resource Certification service, which was launched at the beginning of this year. This allows you to get a digital certificate for your IP address blocks and create Route Origin Authorisation (ROA) objects, which essentially state "From this Autonomous System, I shall announce these prefixes". This allows anyone on the Internet to *validate* if a certain route announcement has a valid ROA associated with it, created by the legitimate holder of the address space. You can find more information here: http://ripe.net/certification And here is a quick-tour: http://youtu.be/Q0C0kEYa1d8 Kind regards, Alex Band Product Manager, RIPE NCC On 18 Feb 2011, at 16:10, Amer wrote:
Hi all I would like to ask you about what is the possibility of prefix hijacking by ISP after implementing the last RIPE's prefix advertisement procedures Is their an official documents regard that?
Best regards
Alex, In the most cases of real hijacks I know, the origin was the real ASN of the prefix. It is easy, like this (cisco style): router bgp $EVIL_AS network $TARGET_SITE_IP/24 route-map INSERT_ASN ... route-map INSERT_ASN permit 1 set as-path prepend $TARGET_SITE_ASN If you need to fight with the hijacks, you SURE need to check and filter the WHOLE chain of route. 20.02.11 12:45, Alex Band написав(ла):
Hi Amer,
In order to help mitigate route hijacking issues, it is considered good practice to register your announcements as route objects in an Internet Routing Registry such as the RIPE Database. This allows other to base routing decisions on them, using filters.
A new alternative is the RIPE NCC Resource Certification service, which was launched at the beginning of this year. This allows you to get a digital certificate for your IP address blocks and create Route Origin Authorisation (ROA) objects, which essentially state "From this Autonomous System, I shall announce these prefixes". This allows anyone on the Internet to *validate* if a certain route announcement has a valid ROA associated with it, created by the legitimate holder of the address space.
You can find more information here: http://ripe.net/certification And here is a quick-tour: http://youtu.be/Q0C0kEYa1d8
Kind regards,
Alex Band Product Manager, RIPE NCC
On 18 Feb 2011, at 16:10, Amer wrote:
Hi all I would like to ask you about what is the possibility of prefix hijacking by ISP after implementing the last RIPE's prefix advertisement procedures Is their an official documents regard that?
Best regards
-- WBR, Max Tulyev (MT6561-RIPE, 2:463/253@FIDO)
Hi all Great thanx to ur cooperation and informative replies Thank you Eng Amer Alghadhban COE SANS-GCFW CEH, SCNP, CCNA
From: president@ukraine.su To: routing-wg@ripe.net Subject: Re: [routing-wg] Prefix hijacking possibility Date: Mon, 21 Feb 2011 00:34:47 +0200
Alex,
In the most cases of real hijacks I know, the origin was the real ASN of the prefix. It is easy, like this (cisco style):
router bgp $EVIL_AS network $TARGET_SITE_IP/24 route-map INSERT_ASN ... route-map INSERT_ASN permit 1 set as-path prepend $TARGET_SITE_ASN
If you need to fight with the hijacks, you SURE need to check and filter the WHOLE chain of route.
20.02.11 12:45, Alex Band написав(ла):
Hi Amer,
In order to help mitigate route hijacking issues, it is considered good practice to register your announcements as route objects in an Internet Routing Registry such as the RIPE Database. This allows other to base routing decisions on them, using filters.
A new alternative is the RIPE NCC Resource Certification service, which was launched at the beginning of this year. This allows you to get a digital certificate for your IP address blocks and create Route Origin Authorisation (ROA) objects, which essentially state "From this Autonomous System, I shall announce these prefixes". This allows anyone on the Internet to *validate* if a certain route announcement has a valid ROA associated with it, created by the legitimate holder of the address space.
You can find more information here: http://ripe.net/certification And here is a quick-tour: http://youtu.be/Q0C0kEYa1d8
Kind regards,
Alex Band Product Manager, RIPE NCC
On 18 Feb 2011, at 16:10, Amer wrote:
Hi all I would like to ask you about what is the possibility of prefix hijacking by ISP after implementing the last RIPE's prefix advertisement procedures Is their an official documents regard that?
Best regards
-- WBR, Max Tulyev (MT6561-RIPE, 2:463/253@FIDO)
In the most cases of real hijacks I know, the origin was the real ASN of the prefix. It is easy, like this (cisco style):
router bgp $EVIL_AS network $TARGET_SITE_IP/24 route-map INSERT_ASN ... route-map INSERT_ASN permit 1 set as-path prepend $TARGET_SITE_ASN
for *real* attacks, yes. but 99% of mis-announcements are fat fingers, and do not have the correct asn in the origin.
If you need to fight with the hijacks, you SURE need to check and filter the WHOLE chain of route.
agree completely. see new sidr wg charter randy
participants (5)
-
Alex Band -
Amer -
AMER AL-GHADHBAN
-
Max Tulyev -
Randy Bush