INNOG August 2020

innog@innog.net

2 participants
2 discussions

Spoofer Report for INNOG for Jul 2020

by CAIDA Spoofer Project

In response to feedback from operational security communities, CAIDA's source address validation measurement project (https://spoofer.caida.org) is automatically generating monthly reports of ASes originating prefixes in BGP for systems from which we received packets with a spoofed source address. We are publishing these reports to network and security operations lists in order to ensure this information reaches operational contacts in these ASes. This report summarises tests conducted within ind. Inferred improvements during Jul 2020: ASN Name Fixed-By 24560 AIRTELBROADBAND 2020-07-11 55836 RELIANCEJIO-IN 2020-07-13 Further information for the inferred remediation is available at: https://spoofer.caida.org/remedy.php Source Address Validation issues inferred during Jul 2020: ASN Name First-Spoofed Last-Spoofed 24560 AIRTELBROADBAND 2016-03-12 2020-07-23 9498 BBIL-AP 2016-11-01 2020-07-21 55836 RELIANCEJIO-IN 2017-03-03 2020-07-30 24186 RAILTEL 2018-12-08 2020-07-26 Further information for these tests where we received spoofed packets is available at: https://spoofer.caida.org/recent_tests.php?country_include=ind&no_block=1 Please send any feedback or suggestions to spoofer-info(a)caida.org

3 days, 2 hours

RPKI deployment in India

by Anurag Bhatia

Hello INNOG community! As many of you might be aware - there's a major effort ongoing for deploying RPKI across the globe. At my daytime job (at Hurricane Electric / AS6939) we recently deployed RPKI validation. Many other large networks have also deployed RPKI in the last few months including but not limited to AT&T, KPN, GTT, Telia, Cognet, NTT, Seacom besides many larger exchanges. As far as I can see Tata Communications global AS6453 also seems to be dropping a large number of invalids (likely from their peers) besides ACT broadband which is also dropping invalids across a large part of its network. *Deploying RPKI essentially has two key parts: * 1. Signing your own prefixes / Creating RPKI ROAs Here you sign your prefixes. It's similar to IRR route object but technically much better as it's a cryptographic signature which can be easily validated by a supported router. Having your own prefixes signed saves you from a possible hijack attempt of your prefixes. If anyone hijacks your unsigned prefixes, the announcement would be visible almost across the globe but if they are signed, you can expect most of the networks I listed above to be dropping those invalids. 2. Dropping invalids Here you are expected to drop prefixes (of others) which you see do not carry a valid RPKI ROA. This part requires the support of RPKI in your router. Both of these steps are independent of each other. A network can create ROAs without validating or vice versa. As of now when looking across South and East Asia, we (India) seems to be lagging quite badly on ROA creation. There are around 42k prefixes visible in the global table from India and out of this only 5k are signed i.e just 12%. Comparing this to our neighbours - Bangladesh is at 82%, Myanmar at 78%, Nepal & Sri Lanka at 90%, Pakistan at 73%and Taiwan + Mangolia are at 90%+ levels. [image: Screenshot 2020-07-18 at 1.44.36 AM.png] I have created a public dashboard to track the deployment across Asia with a focus on India. If interested, you can check it here: https://graphs.muc.anuragbhatia.com/d/DPIj_47Mk/rpki?orgId=1 *If you are a network operator with IP addresses, please consider the following: * 1. Create an RPKI ROAs for your prefixes. If your resources are from APNIC, you can do that at My APNIC portal. If your resources are from IRINN, you can request IRINN to create ROAs for your prefixes (similar to the way you request for the route objects). You would need to inform IRINN for the Prefix + origin ASN you would like to use to originate it + the max allowed subnet mask (like /24 or /23...whatever upto size you wish to use in announcing prefix). 2. Check out the invalids in India table published here: https://graphs.muc.anuragbhatia.com/d/DPIj_47Mk/rpki?viewPanel=39&orgId=1 If you see any of your prefixes here, please consider fixing those. These announcements are already being rejected by various large networks and will cause issues for your customers. If you would like to read more about RPKI, this documentation can be a good start: https://rpki.readthedocs.io/en/latest/rpki/introduction.html and if you are wondering if your hardware is supported for dropping invalids, this one covers it: https://rpki.readthedocs.io/en/latest/rpki/router-support.html#hardware-s... Feel free to write back here if you have any questions. Thanks. -- Anurag Bhatia anuragbhatia.com

6 days, 20 hours

2020

2019

INNOG August 2020 ----- 2020 ----- August 2020 July 2020 June 2020 May 2020 April 2020 March 2020 February 2020 January 2020 ----- 2019 ----- December 2019 November 2019 October 2019 September 2019 August 2019 July 2019

INNOG August 2020