Ask HN: Is propagation of BGP hijacks unavoidable?

ggm · on Aug 20, 2023

You mention RPKI. Doesn't that suggest propagation can be and was observed to be limited in some cases? Aside from a cryptographic proof, what do you suggest?

_nalply · on Aug 20, 2023

I don't suggest anything. I just want to understand something better. Intellectual curiosity.

I asked ChatGPT, however they told me: «I want to emphasize that BGP hijacking is a violation of internet standards and principles. It's unethical and can cause significant disruptions and security risks for the global internet infrastructure. Deliberately attempting to execute BGP hijacking, even with the intention of preventing propagation, is not something that should be pursued.»

> observed to be limited in some cases?

As far as I understood: if an ISP uses RPKI they will verify propagated BGP messages and therefore are protected by BGP hijacking. However if a nation state orders a national ISP to do BGP hijacking, they would need to disable their own RPKI checking and potentially become victim to other BGP hijacking because of the distributed nature of BGP.

Let's say nation state X blocks service A (in the linked discussion: X = Iraq, A = Telegram).

Then nation state Y blocks service B. This gets propagated to nation state X. Then they have both A and B blocked.

In other words, censors get censored themselves.

ggm · on Aug 20, 2023

Only the ip address holder can sign a valid ROA. It specifies the acceptable prefix lengths the origin AS can advertise. The BGP speakers placed under a requirement to hijack either had to specify a shorter path to origin or only hijacked against people who didn't filter BGP against a validated ROA hierarchy.

ROA can't defend against attack on path hence the possibility they kept origin AS unaltered but advertised reachability to it as a lie. Since some people say ROA protected them that tends to suggest they faked origin to more specific prefices or simply asserted a bad origin AS

My guess is it was like YouTube hijack in PK: wrong side of a box got affected: they only care about BGP speakers inside Iran.

Maybe NANOG list will say more, or the RIPE NCC blog and RIPE labs

toast0 · on Aug 20, 2023

Since you seem knoweldgeable... can I ask a potentially dumb question?

Does anything stop a rogue network from adding a BGP peer configured with the AS number that's listed in the ROA and then propigating those anouncements how they want?

Maybe prefix or path filters on the rogue's upstreams, but my (weak) understanding of RPKI says if the destination ASN matches, it's an acceptable route, and I don't see anything to validate that the announcer actually is the AS owner?

Overall BGP is built based on a high assumption of trust, and RPKI seems to be very helpful for accidental hijacks, but might not help for intentional ones. OTOH, if Iran only wants to hijack within the country, they might just effectively require networks within their purview to accept the hijacking announcements without regard to RPKI (and the external networks who enforce RPKI would ignore those announcements by default, if they leak)

ggm · on Aug 20, 2023

The scenario you declare depends on the mutual trust between BGP speakers. It's a weak wall of defence. All public BGP is under continuous scrutiny so this kind of thing is detected but that's post hoc remediation. AS holders need to use BGP detection systems to see rogue instances of their AS and within an "island" of border a large number of AS could be made to see a rogue and occlude it from others.

Additional signed states in BGPsec and in emerging ASPA would make this much harder but with 80,000 AS its a large job to both compute and share the adjacency information, and largely BGP path security is a work in progress.

What you say about Iran is substantively true for any economy which wants to control its borders.