[GTER] [lacnog] Hijack de prefixo em IRR

Carlos Friaças cfriacas at fccn.pt
Sun Sep 15 07:59:01 -03 2019 


Hi Job, Douglas, All,
(please see inline)


On Sat, 14 Sep 2019, Job Snijders wrote:

> Hi Douglas,
>
> On Fri, Sep 13, 2019 at 05:57:06PM -0300, Douglas Fischer wrote:
>> Our analysis was focused just in Brazilian prefixes mostly because
>> those are "familiar to me and my friend.  But also because that
>> database of 'ASN vs Prefixes' is very tight.
>
> Right, but the problem also exists globally. You have (re)discovered a
> problem that is widely recognised.
>
>> I believe that if there was a tool (if it doesn't already exist) that
>> could get the list of "ASNs vs Prefixes" delegations for each of the
>> RIR/NIR/LIR, and put it together in a consultable way, It could be
>> used as a substantial information to indicate, not afraid to say
>> something unfair, that "those" entries are wrong.
>
> Yes, this tool already exists. It is called "RPKI" - I am not joking. I
> hope the Brazilian community soon gets access to it, because this is
> where everyone is heading.

*strong support*.
Please do RPKI as soon as possible. Publish your ROAs!


>> And it could be used for example as a PUBLIC SHAME LIST.
>> - Shame on Mantainers, that are creating wrong entries.
>> - Shame on Owner of the Resources, that are not doing their preventive work.
>> - And, MOSTLY, Shame on IRRs bases, that are accepting anything.
>> (OK, this is not very "politically correct", but it is the best we
>> have.  And it works! At least with good persons who doesn't like to be
>> seen as a fat finger.)
>
> Why are you shaming me Douglas? I work for an IRR, it is my job to help
> maintain the NTTCOM database. We have recognised the flaw and concluded
> that the solution is to let RPKI data supersede IRR data (when there is
> a conflict). We are investing significant money to resolve the issue we
> (as IRRs) are part of. What more do you want me to do?

At some point in the future completely drop IRR...??? :-)))

If one owns (or have usage rights over a prefix) why isn't one able to 
create ROAs...?
(some legacy resource holders which don't want to pay for the service 
might by the exception, i know...)



> I already shared with this list what real actions we are taking, what is
> already happening in other regions to help reduce this problem. If the
> follow up is "well, i'm going to ignore your solution and still want to
> shame you"... I am not sure how productive that is :-)

It's not.
And "shame" also won't work against established business models which are 
deliberately abuse-centric, continuously exploring some design flaws. :/



>> Well... If Two basic rules would be implemented by RADB and all the others
>> IRRs
>> [snip]
>
> We are going to follow slightly different heuristics, because those are
> more widely deployable.
>
> What seems to be the essence of the problem here is that operators in
> Brazil don't have access to RPKI services yet. I think almost everything
> you highlight will be much easier and simpler to deal with once BR
> operators can publish RPKI ROAs for BR prefixes...

I wasn't really aware of this "issue".
Isn't the service accessible through LACNIC...?


Best Regards,
Carlos



> Kind regards,
>
> Job
> --
> gter list    https://eng.registro.br/mailman/listinfo/gter
>

More information about the gter mailing list