(mostly a copy paste from [0])

1. Monitor your relay’s BGP prefix for suspicious BGP activity and share alerts 
with 
this mailing list.
The easiest way to do so is to subscribe to your prefixes using 
https://bgpmon.net/.
You should practically get zero alerts.

2. Check the following properties of the prefixes you use (ideally even before 
ordering servers):

    prefix length and IRR state [1]
    RPKI state [2] 

3. Ask your ISP/IP holder to create ROAs [4] for the prefixes you use, if the 
ROA is currently missing.

4. Ensure the ROA creator is aware of the risks of the maxlength attribute [3] 
and uses it accordingly (in the best case not at all)

5. Monitor the RPKI validity state of your prefixes (can also be done with 
bgpmon)

6. Ask your ISP to announce the IP space of your relays in /24 prefixes (/48 
for IPv6) 
to avoid more-specific prefix hijacks (this makes sense even if you have ROAs 
in place due to the low ROV coverage)

7. If your relay uses IP addresses from the RIPE region: 
ask your provider to create route(6) objects matching the announcements if they 
are not present yet. 
You can use RIPEstat’s prefix routing consistency widget [1] to check the 
current state
 (the “In RIS” and “RIPE IRR” columns should both say “yes”).

8. Be aware that “LEGACY” or “ERX” IP space might be less likely to get ROAs by 
your ISP

9. Enable IPv6 on your relays


[0] 
https://medium.com/@nusenu/how-vulnerable-is-the-tor-network-to-bgp-hijacking-attacks-56d3b2ebfd92
[1] https://stat.ripe.net/widget/prefix-routing-consistency
[2] https://rpki-validator.ripe.net/bgp-preview
[3] https://www.youtube.com/watch?v=I3Owb0u8Wuk
[4] 
https://www.ripe.net/manage-ips-and-asns/resource-management/certification/resource-certification-roa-management
https://www.arin.net/resources/rpki/using_rpki.html

-- 
https://twitter.com/nusenu_
https://mastodon.social/@nusenu

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Reply via email to