<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
According to what I take from Doug's answer, the only two
differences between this case and that of Pakistan Telecom and
YouTube are that (1) the 'mistakenly leaked' (let's not call it
hijacking :-) ) prefix was a /32 instead of a /24, and (2) that BT
Latam upstreams apparently do a much better job at prefix filtering
than what PCCW did for PakTel.<br>
<br>
Other than that, it's the same old story all over again. So yes,
RPKI could have played a useful role here.<br>
<br>
<br>
Cheers!<br>
<br>
~Carlos<br>
<br>
<div class="moz-cite-prefix">On 3/19/14, 6:03 PM, Roque Gagliano
wrote:<br>
</div>
<blockquote
cite="mid:CAJBrruhKTYK2s=33bmGo_SdsLvF+vHYq5oTwWvg-=R14sqEBjw@mail.gmail.com"
type="cite">
<div dir="ltr">I guess the conclusion is that AS7908 did
originated the <a moz-do-not-send="true"
href="http://8.8.8.8/32" target="_blank">8.8.8.8/32</a>
announcement and then the (small coverage) leakage could have
been prevented by RPKI if configured at their upstreams.<br>
r.<br>
</div>
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">On Wed, Mar 19, 2014 at 9:48 PM, Carlos
M. Martinez <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:carlosmarcelomartinez@gmail.com"
target="_blank">carlosmarcelomartinez@gmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">Doug,<br>
<br>
thanks for the good wishes and thank you very much for your
very clear<br>
and complete answer, that is just what I was looking for.<br>
<br>
Kind regards,<br>
<br>
~Carlos<br>
<div class="HOEnZb">
<div class="h5"><br>
On 3/19/14, 5:44 PM, Doug Madory wrote:<br>
> Hola Carlos,<br>
><br>
> Congrats on your new role at LACNIC!<br>
><br>
> It is true that AS7908 announced <a
moz-do-not-send="true" href="http://8.8.8.8/32"
target="_blank">8.8.8.8/32</a> for about 20 minutes on
Saturday, although I'm skeptical of how significant this
is.<br>
><br>
> For one, because the route is a /32 it didn't
travel very far. We had 4 of our 416 peers see it. I
believe BGPmon had about the same number of peers see
the route. The article you cite implies that there was
global impact, however the actual number of users
impacted is likely small. As far as what the "impact"
was, there isn't any evidence that this wasn't just a
leak of some internal route for proper handling of
Google DNS queries. If there were queries that were
blocked or returned with bogus information, then that
would be concerning.<br>
><br>
> Half of the routes that BT Latam (AS7908) transits
(about 200) are from Argentina, 80 are from Brazil, 40
from Venezuela and the rest from other LATAM countries.
I suspect this leaked route was probably there to make
sure the queries were handled in a certain way like
directed to the local Google DNS resolvers in Buenos
Aires or Sao Paulo. I don't believe that we know that
any Google DNS queries at all were actually redirected
to Venezuela as the article suggests.<br>
><br>
> What's more, AS7908 regularly announces <a
moz-do-not-send="true" href="http://125.125.125.0/24"
target="_blank">125.125.125.0/24</a>, which is Chinese
address space that is currently in use by China Telecom.
Given the repeating pattern of the octets, I believe
this is another internal route they are inadvertently
leaking - as opposed to hijacking the Chinese. :-) I
encounter this kind of thing regularly. Also AS7908
leaked internal routes earlier that day. These things
contribute to the appearance of sloppiness more than
anything nefarious.<br>
><br>
> Rogers of Canada also announced <a
moz-do-not-send="true" href="http://8.8.8.8/30"
target="_blank">8.8.8.8/30</a> last year and it was
discussed on the NANOG list:<br>
> <a moz-do-not-send="true"
href="http://mailman.nanog.org/pipermail/nanog/2013-July/059736.html"
target="_blank">http://mailman.nanog.org/pipermail/nanog/2013-July/059736.html</a><br>
> That ultimately appeared to be benign:<br>
> <a moz-do-not-send="true"
href="http://mailman.nanog.org/pipermail/nanog/2013-July/059743.html"
target="_blank">http://mailman.nanog.org/pipermail/nanog/2013-July/059743.html</a><br>
><br>
> There are other examples. Such as AS39605
announcing <a moz-do-not-send="true"
href="http://8.8.8.0/24" target="_blank">8.8.8.0/24</a>
last month for almost 6 hours.<br>
><br>
> Having said all that, BGP hijacking is a legitimate
concern that ought to be addressed in a thoughtful way.<br>
><br>
> Doug Madory<br>
> 603-643-9300 x115<br>
> Hanover, NH<br>
> "The Internet Intelligence Authority"<br>
><br>
> On Mar 19, 2014, at 11:00 AM, <a
moz-do-not-send="true"
href="mailto:lacnog-request@lacnic.net">lacnog-request@lacnic.net</a>
wrote:<br>
><br>
>> Date: Tue, 18 Mar 2014 17:34:55 -0300<br>
>> From: Carlos Martinez-Cagnazzo <<a
moz-do-not-send="true"
href="mailto:carlosm3011@gmail.com">carlosm3011@gmail.com</a>><br>
>> To: Latin America and Caribbean Region Network
Operators Group<br>
>> <<a moz-do-not-send="true"
href="mailto:lacnog@lacnic.net">lacnog@lacnic.net</a>><br>
>> Subject: [lacnog] ¿¿ <a moz-do-not-send="true"
href="http://8.8.8.0/24" target="_blank">8.8.8.0/24</a>
secuestrado en Venezuela ??<br>
>> Message-ID:<br>
>>
<CA+z-_EXMyjqZ5EgqApjM97WMif1CEj_-B1z3--N9=-<a
moz-do-not-send="true"
href="mailto:o13Qa25A@mail.gmail.com">o13Qa25A@mail.gmail.com</a>><br>
>> Content-Type: text/plain; charset="iso-8859-1"<br>
>><br>
>> Recién estaba leyendo esto:<br>
>><br>
>> <a moz-do-not-send="true"
href="http://thehackernews.com/2014/03/google-public-dns-server-traffic.html"
target="_blank">http://thehackernews.com/2014/03/google-public-dns-server-traffic.html</a><br>
>><br>
>> Quisiera entender si realmente fue un
'hijacking' de BGP, que es lo que<br>
>> parecería a juzgar por el screenshot de BGPMon
que se publica en el<br>
>> artículo o si fué algún otro tipo de problema.<br>
>><br>
>> En particular, quiero entenderlo para saber si
RPKI en este escenario<br>
>> hubiera sido útil para mitigar el evento.**<br>
>><br>
>> s2<br>
>><br>
>> ~Carlos<br>
>><br>
>> **Así de paso lo agrego a mi powerpoint de RPKI
:-)<br>
> _______________________________________________<br>
> LACNOG mailing list<br>
> <a moz-do-not-send="true"
href="mailto:LACNOG@lacnic.net">LACNOG@lacnic.net</a><br>
> <a moz-do-not-send="true"
href="https://mail.lacnic.net/mailman/listinfo/lacnog"
target="_blank">https://mail.lacnic.net/mailman/listinfo/lacnog</a><br>
> Cancelar suscripcion: <a moz-do-not-send="true"
href="mailto:lacnog-unsubscribe@lacnic.net">lacnog-unsubscribe@lacnic.net</a><br>
<br>
_______________________________________________<br>
LACNOG mailing list<br>
<a moz-do-not-send="true"
href="mailto:LACNOG@lacnic.net">LACNOG@lacnic.net</a><br>
<a moz-do-not-send="true"
href="https://mail.lacnic.net/mailman/listinfo/lacnog"
target="_blank">https://mail.lacnic.net/mailman/listinfo/lacnog</a><br>
Cancelar suscripcion: <a moz-do-not-send="true"
href="mailto:lacnog-unsubscribe@lacnic.net">lacnog-unsubscribe@lacnic.net</a><br>
</div>
</div>
</blockquote>
</div>
<br>
<br clear="all">
<br>
-- <br>
<br>
<br>
At least I did something<br>
Don Draper - Mad Men
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
LACNOG mailing list
<a class="moz-txt-link-abbreviated" href="mailto:LACNOG@lacnic.net">LACNOG@lacnic.net</a>
<a class="moz-txt-link-freetext" href="https://mail.lacnic.net/mailman/listinfo/lacnog">https://mail.lacnic.net/mailman/listinfo/lacnog</a>
Cancelar suscripcion: <a class="moz-txt-link-abbreviated" href="mailto:lacnog-unsubscribe@lacnic.net">lacnog-unsubscribe@lacnic.net</a>
</pre>
</blockquote>
<br>
</body>
</html>