RE: YouTube IP Hijacking

 
This candidate list of requirements is for route sources
that North
American Operators should trust to propagate long prefix
routes, nothing
more, nothing less. In that context, some of your comments
don't really
make sense.

Perhaps you might like to propose criteria you would find
useful in
setting a level of trust, or some alternative method to
avoid a
recurrence of a site that is widely visited being black
holed through
another ISP advertising a more specific route?

Specifically:

In place of item 1, what criteria would you propose for the
route
source?

Item 2: in this context, is specific to the needs of North
American
Network Operators accepting long prefix routes. I am not
advocating not
accepting routes from the ROW, just not very specific ones.
It's
entirely possible for North American Operators to rely on
law
enforcement in say, the EU and Australia.

Item 3: Glad we agree on something.

Item 4: How would you have said it?

I think it would be better to propose some constructive
ideas as to how
we can avoid what happened today from recurring, and also
deal with the
issue of hijacked IP space in general.


> -----Original Message-----
> From: owner-nanogmerit.edu [mailto:owner-nanogmerit.edu] On 
> Behalf Of Patrick W. Gilmore
> Sent: Sunday, February 24, 2008 5:43 PM
> To: nanogmerit.edu
> Cc: Patrick W. Gilmore
> Subject: Re: YouTube IP Hijacking
> 
> 
> On Feb 24, 2008, at 7:36 PM, Tomas L. Byrnes wrote:
> 
> > I'm sure we can all find a list of "critical

> infrastructure" ASes that 
> > could be trusted to peer via the "high
priority" AS. I'd 
> say that the 
> > criteria should be:
> >
> > 1: Hosted at a Tier 1 provider.
> 
> That is a silly requirement.
> 
> (I am sorry, I tried hard to find a nicer way to say
this, 
> but I really feel strongly about this.)
> 
> 
> > 2: Within a jurisdiction where North American
operators have a good 
> > chance of having the law on their side in case of
any 
> network outage 
> > caused by the entity.
> 
> This is also a bit strange.  Do your users never attach
to a 
> host outside the USofA?
> 
> 
> > 3: Considered highly competent technically.
> 
> Here we agree.
> 
> 
> > 4: With state of the art security and operations.
> 
> I think we agree, but I wouldn't have said it like
that.
> 
> --
> TTFN,
> patrick
> 
> 
> > OTOH: I would say that, until today, those who
advocate not 
> engaging  
> > in
> > any kind of ethnic or political profiling would
have 
> considered 17557,
> > as a national telco, a trusted route source.
> >
> >> -----Original Message-----
> >> From: Randy Epstein [mailto:repsteinchello.at]
> >> Sent: Sunday, February 24, 2008 4:15 PM
> >> To: Tomas L. Byrnes; 'Simon Lockhart'
> >> Cc: 'Michael Smith'; neil.fenemorfx.net.nz; willharg.net;
> >> nanogmerit.edu
> >> Subject: RE: YouTube IP Hijacking
> >>
> >> Tomas L. Byrnes wrote:
> >>
> >>> Perhaps certain ASes that are considered
"high priority",
> >> like Google,
> >>> YouTube, Yahoo, MS (at least their update
servers), can be
> >> trusted to
> >>> propagate routes that are not
aggregated/filtered, so as to
> >> give them
> >>> control over their reachability and
immunity to longer-prefix
> >>> hijacking (especially problematic with
things like MS 
> update sites).
> >>
> >> Not to stir up a huge debate here, but if I
were a day
> >> trader, I could live without YouTube for a
day, but not
> >> e*trade or Ameritrade as it would be my
livelihood.  If I
> >> were an eBay seller, why would I care about
YouTube?  You get
> >> the idea.  What makes Google, YouTube, Yahoo,
MS, etc more
> >> important?
> >>
> >> More importantly, why is PCCW not prefix
filtering their 
> downstreams?
> >> Certainly AS17557 cannot be trusted without a
filter.
> >>
> >> Randy
> >>
> >>> -----Original Message-----
> >>> From: Simon Lockhart [mailto:simonslimey.org]
> >>> Sent: Sunday, February 24, 2008 2:07 PM
> >>> To: Tomas L. Byrnes
> >>> Cc: Michael Smith; neil.fenemorfx.net.nz; willharg.net;
> >>> nanogmerit.edu
> >>> Subject: Re: YouTube IP Hijacking
> >>>
> >>> On Sun Feb 24, 2008 at 01:49:00PM -0800,
Tomas L. Byrnes wrote:
> >>>> Which means that, by advertising
routes more specific
> >> than the ones
> >>>> they are poisoning, it may well be
possible to restore universal
> >>>> connectivity to YouTube.
> >>>
> >>> Well, if you can get them in there....
Youtube tried that,
> >> to restore
> >>> service to the rest of the world, and the
announcements didn't
> >>> propogate.
> >>>
> >>> Simon
> >>>
> >>
> >>
> >>
> >
> 
> 

> This candidate list of requirements is for route
sources that 
> North American Operators should trust to propagate long

> prefix routes, nothing more, nothing less. 

All operators already have some kind of criteria which they
use
to decide whether or not to trust a particular source of
routes
whether long prefixes or short. You are suggesting that
these operators
should give up this role to a trusted third party so that
al
North American network operators share fate in terms of BGP
trust relationships. It seems that you feel this is an
improvement
since some network operators have very lax policies and
trust people
that they shouldn't. In that case, I wonder whether these
operators
would even bother joining such a shared-fate arrangement.

But the big downside is for the operators who have carefully
honed
filtering policies and who are careful about who they trust.
For them
there is no upside to joining a shared-fate arrangement, and
a potential
downside if management decides that their internal BGP
filtering
practices can now be made more lax. And, of course, the
shared fate
arrangement is now a single point of failure and a very
juicy target
for bad guys to attack.

The real solution to the YouTube issue is for people to
pressure other
network operators to raise their game and pay attention to
how they
manage their BGP trust relationships and filter
announcements. In
addition, more people need to get involved in information
sharing 
arrangements like Routing Registries, MyASN, alert services
and so on.
None of these things create a single point of failure and
some of
them would be useful even if your Super AS is created.
Because all
of this activity is done by humans, even your Super AS can
make
mistakes so it would be bad for people to trust it just
because it
is big. Alert services, RRs, MyASN, etc., can protect
against
human failures whether in the Super AS or Pakistan Telecom.

> Perhaps you might like to propose criteria you would
find 
> useful in setting a level of trust, or some alternative

> method to avoid a recurrence of a site that is widely
visited 
> being black holed through another ISP advertising a
more 
> specific route?

Haven't you noticed that the definition of "widely
visited site"
changes regularly, and often quite abruptly? How much
traffic 
did YouTube get 3 years ago? Facebook? MySpace? There is no
shortcut for eternal vigilance, i.e. manage your BGP
relationships
don't just configure and forget.

> Item 2: in this context, is specific to the needs of
North 
> American Network Operators accepting long prefix
routes. I am 
> not advocating not accepting routes from the ROW, just
not 
> very specific ones. It's entirely possible for North
American 
> Operators to rely on law enforcement in say, the EU and
Australia.

In case you hadn't noticed, there is no North American law
enforcement
agency and no North American courts and no North American
laws outside
of NAFTA. So I'm not sure what you are getting at here. Do
you want
to reopen NAFTA negotiations to include Internet peering?

> I think it would be better to propose some constructive
ideas 
> as to how we can avoid what happened today from
recurring, 
> and also deal with the issue of hijacked IP space in
general.

The tools and techniques are out there. All that is needed
is 
for people to follow best practices. Seems to me that
educational
activity would be more productive than building castles in
the sky.

--Michael Dillon