Cloudflare BGP safety tool

Forums › New Zealand Broadband › Cloudflare BGP safety tool

1 | 2

udmada

10 posts

Wannabe Geek
+1 received by user: 3

#3022004 16-Jan-2023 12:28

KiwiSurfer:

Your ISP (VocusGroup NZ, AS9790) does not implement BGP safely. It should be using RPKI to protect the Internet from BGP hijacks.

I think Vocus has implemented RKPI as per the source: https://twitter.com/pmawson/status/1371642968512237569

A revisit to the Cloudflare site shows the following:

Your ISP (VocusGroup NZ, AS9790) implements BGP safely. It correctly drops invalid prefixes.

Details fetch https://valid.rpki.cloudflare.com

✅ correctly accepted valid prefixes

fetch https://invalid.rpki.cloudflare.com

✅ correctly rejected invalid prefixes

freitasm

BDFL - Memuneh
80658 posts

Uber Geek
+1 received by user: 41071

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#3022005 16-Jan-2023 12:38

Mind you this does not include the old 2degrees network.

Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

MichaelNZ

1594 posts

Uber Geek
+1 received by user: 485

Trusted

Net Trust Ltd

#3022711 17-Jan-2023 13:14

I tried a couple of ranges in their tool. Both are in routing databases.

One came back and said "valid" and the other "unknown". This says to me Cloudflare does not have full coverage of the databases.

And herein is the problem with these sorts of tools. I did not see the word "safety" as quoted in a previous post but that would seem rather emotive.

The industry is justifiably cautious here. If customers suddenly can't connect with stuff which is important to them then they get unhappy, and the same folks who use these tools are among the first to share their points of view.

WFH Linux Systems and Networks Engineer in the Internet industry | Specialising in Mikrotik | APNIC member | Open to job offers | ZL2NET

udmada

10 posts

Wannabe Geek
+1 received by user: 3

#3022720 17-Jan-2023 13:36

MichaelNZ:

I tried a couple of ranges in their tool. Both are in routing databases.

One came back and said "valid" and the other "unknown". This says to me Cloudflare does not have full coverage of the databases.

And herein is the problem with these sorts of tools. I did not see the word "safety" as quoted in a previous post but that would seem rather emotive.

The industry is justifiably cautious here. If customers suddenly can't connect with stuff which is important to them then they get unhappy, and the same folks who use these tools are among the first to share their points of view.

Disclaimer: SE here so networking is def _not_ my domain please correct me should I make any mistake.

I see the implementation of RPKI as a good step forward for BGP security, though said “security” can only be achieved on the global level i.e. all ISPs implement RPKI safely.

Re connectivity - similar to what you mentioned above, I think RPKI can be used to validate whether the response is from the real server but a fake response can be coming from a misconfiguration etc, not just hijacking/attack.

Plus not sure if the name and shame approach is particularly helpful. At least Spark and Vodafone don’t seem to care much.

Re full coverage of the databases - I used https://github.com/nttgin/BGPalerter and check against https://bgp.tools/as/9790#prefixes I’d say at least for Vocus the prefixes are correct.

MichaelNZ

1594 posts

Uber Geek
+1 received by user: 485

Trusted

Net Trust Ltd

#3022732 17-Jan-2023 13:56

udmada:

I see the implementation of RPKI as a good step forward for BGP security, though said “security” can only be achieved on the global level i.e. all ISPs implement RPKI safely.

Re connectivity - similar to what you mentioned above, I think RPKI can be used to validate whether the response is from the real server but a fake response can be coming from a misconfiguration etc, not just hijacking/attack.

Plus not sure if the name and shame approach is particularly helpful. At least Spark and Vodafone don’t seem to care much.

I work in the industry so won't be commenting on individual companies policies in so far as they don't affect me.

The view from here is somewhat different to what I would do in my home LAN. Most customers want connectivity to the world wide web and they want it fast enough and reliable enough.

There have been times when I have deployed stuff which I thought was technically a good idea - even tested - and have had to reverse it because they don't implement well at scale or had other complications.

With larger companies this issue is orders of magnitude higher. The tail can't wag the dog.

If someone is really interested in this subject they have the option of joining APNIC and getting IP space and an ASN number. Then they can play around with this stuff in their lab.

In regards to the internet in general RPKI is slowly being implemented. It still might take awhile and fail to get total buy in. Much like IPv6.

WFH Linux Systems and Networks Engineer in the Internet industry | Specialising in Mikrotik | APNIC member | Open to job offers | ZL2NET

1 | 2