Re: [anti-abuse-wg] FW: [aa-wg-chair] Draft Anti-Abuse WG Minutes from RIPE 79

[Ronald F. Guilmette]

In message 
,
 
Suresh Ramasubramanian  wrote:

>Ruediger has a nice full list of all the other ways a prefix can be mis-
>announced or route leaked.  Typos, incompetence in setting up load balancers,
>so on and forth.  However, the number of these that are malicious and that'd
>be of interest to the AAWG...

Just to clarify, the set of things that might be of interest to me
personally is likely to be somewhat larger than the set of things
that might be of interest to the AAWG.


Regards,
rfg

Re: [anti-abuse-wg] FW: [aa-wg-chair] Draft Anti-Abuse WG Minutes from RIPE 79

[Richard Clayton]

In message <93666.1576523...@segfault.tristatelogic.com>, Ronald F.
Guilmette  writes

>Due to my general ignorance of these matters, I would very much like to
>be shown some real-world and current examples of each of the above three
>alleged problems, i.e.:
>
>*)  faked origin ASes
>
>*)  AS paths that are not technically valid
>
>*)  ROAs for ASNs that should not show up for public routing.
>
>I hope that Ruediger is on this list, and that he will provide me with at
>least one or two examples of each of the above.

You might find it useful to read this IMC paper

Taejoong Chung, Emile Aben, Tim Bruijnzeels, Balakrishnan
Chandrasekaran, David Choffnes, Dave Levin, Bruce M. Maggs, Alan
Mislove, Roland van Rijswijk-Deij, John Rula, and Nick Sullivan. 2019.
RPKI is Coming of Age: A Longitudinal Study of RPKI Deployment and
Invalid Route Origins. In Proceedings of the Internet Measurement
Conference (IMC '19). ACM, New York, NY, USA, 406-419.
DOI: https://doi.org/10.1145/3355369.3355596

There's a number of other academic researchers mining the RIPE data (and
other repositories) looking for "interesting" announcements ... and then
writing papers about what they have found. However if you are looking
for spam related wickedness you may need to go rather further than just
looking at public data

Note also that "faked" and "should not show up" are generally judgement
calls based on opinion (sometimes very well informed opinion) or on
assertions by the beneficial users of address blocks as to the
announcements that can be considered valid.

-- 
richard   Richard Clayton

Those who would give up essential Liberty, to purchase a little temporary 
Safety, deserve neither Liberty nor Safety. Benjamin Franklin 11 Nov 1755


signature.asc
Description: PGP signature

Re: [anti-abuse-wg] FW: [aa-wg-chair] Draft Anti-Abuse WG Minutes from RIPE 79

[Suresh Ramasubramanian]

Ruediger has a nice full list of all the other ways a prefix can be 
mis-announced or route leaked.  Typos, incompetence in setting up load 
balancers, so on and forth.  However, the number of these that are malicious 
and that’d be of interest to the AAWG, is much smaller, wouldn’t you say?

From: anti-abuse-wg 
Date: Tuesday, 17 December 2019 at 3:16 PM
To: Ronald F. Guilmette , anti-abuse-wg@ripe.net 

Subject: Re: [anti-abuse-wg] FW: [aa-wg-chair] Draft Anti-Abuse WG Minutes from 
RIPE 79
Unfortunately as far as I am aware he is not on the list, or at least I have 
never seen him post here.

Brian
Co-Chair, RIPE AA-WG

Brian Nisbet
Service Operations Manager
HEAnet CLG, Ireland's National Education and Research Network
1st Floor, 5 George's Dock, IFSC, Dublin D01 X8N7, Ireland
+35316609040 brian.nis...@heanet.ie www.heanet.ie
Registered in Ireland, No. 275301. CRA No. 20036270

> -Original Message-
> From: anti-abuse-wg  On Behalf Of
> Ronald F. Guilmette
> Sent: Monday 16 December 2019 19:11
> To: anti-abuse-wg@ripe.net
> Subject: Re: [anti-abuse-wg] FW: [aa-wg-chair] Draft Anti-Abuse WG
> Minutes from RIPE 79
>
> In message
>  .prod.
> outlook.com>, Brian Nisbet  wrote:
>
> >Ruediger said that... [when] he looks at routing tables, he sees a lot
> >of odd stuff including faked origin ASes, AS paths that are not
> >technically valid, in RPKI – ROAs for ASNs that should not show up for
> >public routing. Looking at RPKI, reputation does not help because in
> >RPKI there are authorisation forecasts that are completely invalid.
>
> Due to my general ignorance of these matters, I would very much like to be
> shown some real-world and current examples of each of the above three
> alleged problems, i.e.:
>
> *)  faked origin ASes
>
> *)  AS paths that are not technically valid
>
> *)  ROAs for ASNs that should not show up for public routing.
>
> I hope that Ruediger is on this list, and that he will provide me with at 
> least
> one or two examples of each of the above.
>
> My thanks to him in advance for this.
>
>
> Regards,
> rfg

Re: [anti-abuse-wg] FW: [aa-wg-chair] Draft Anti-Abuse WG Minutes from RIPE 79

[Brian Nisbet]

Unfortunately as far as I am aware he is not on the list, or at least I have 
never seen him post here.

Brian
Co-Chair, RIPE AA-WG

Brian Nisbet 
Service Operations Manager
HEAnet CLG, Ireland's National Education and Research Network
1st Floor, 5 George's Dock, IFSC, Dublin D01 X8N7, Ireland
+35316609040 brian.nis...@heanet.ie www.heanet.ie
Registered in Ireland, No. 275301. CRA No. 20036270

> -Original Message-
> From: anti-abuse-wg  On Behalf Of
> Ronald F. Guilmette
> Sent: Monday 16 December 2019 19:11
> To: anti-abuse-wg@ripe.net
> Subject: Re: [anti-abuse-wg] FW: [aa-wg-chair] Draft Anti-Abuse WG
> Minutes from RIPE 79
> 
> In message
>  .prod.
> outlook.com>, Brian Nisbet  wrote:
> 
> >Ruediger said that... [when] he looks at routing tables, he sees a lot
> >of odd stuff including faked origin ASes, AS paths that are not
> >technically valid, in RPKI – ROAs for ASNs that should not show up for
> >public routing. Looking at RPKI, reputation does not help because in
> >RPKI there are authorisation forecasts that are completely invalid.
> 
> Due to my general ignorance of these matters, I would very much like to be
> shown some real-world and current examples of each of the above three
> alleged problems, i.e.:
> 
> *)  faked origin ASes
> 
> *)  AS paths that are not technically valid
> 
> *)  ROAs for ASNs that should not show up for public routing.
> 
> I hope that Ruediger is on this list, and that he will provide me with at 
> least
> one or two examples of each of the above.
> 
> My thanks to him in advance for this.
> 
> 
> Regards,
> rfg