Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


ForumsNew Zealand BroadbandCloudflare BGP safety tool
View this topic in a long page with up to 500 replies per page Create new topic
1 | 2 
udmada
10 posts

Wannabe Geek


  #3022004 16-Jan-2023 12:28
Send private message

KiwiSurfer:

 

Your ISP (VocusGroup NZ, AS9790) does not implement BGP safely. It should be using RPKI to protect the Internet from BGP hijacks.

 

 

 

 

I think Vocus has implemented RKPI as per the source: https://twitter.com/pmawson/status/1371642968512237569 

 

 

 

A revisit to the Cloudflare site shows the following:

 

 

 

Your ISP (VocusGroup NZ, AS9790) implements BGP safely. It correctly drops invalid prefixes.

 

Details fetch https://valid.rpki.cloudflare.com

 

✅ correctly accepted valid prefixes

 

fetch https://invalid.rpki.cloudflare.com

 

✅ correctly rejected invalid prefixes



freitasm
BDFL - Memuneh
79295 posts

Uber Geek

Administrator
ID Verified
Trusted
Geekzone
Lifetime subscriber

  #3022005 16-Jan-2023 12:38
Send private message

Mind you this does not include the old 2degrees network.




Please support Geekzone by subscribing, or using one of our referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies | Hatch | GoodSync 

MichaelNZ
1392 posts

Uber Geek

Trusted
Integrity Tech Solutions

  #3022711 17-Jan-2023 13:14
Send private message

I tried a couple of ranges in their tool. Both are in routing databases.

 

One came back and said "valid" and the other "unknown". This says to me Cloudflare does not have full coverage of the databases.

 

And herein is the problem with these sorts of tools. I did not see the word "safety" as quoted in a previous post but that would seem rather emotive.

 

The industry is justifiably cautious here. If customers suddenly can't connect with stuff which is important to them then they get unhappy, and the same folks who use these tools are among the first to share their points of view.




WFH Linux Systems and Networks Engineer in the Internet industry | Specialising in Mikrotik | APNIC member | Open to job offers



udmada
10 posts

Wannabe Geek


  #3022720 17-Jan-2023 13:36
Send private message

MichaelNZ:

 

I tried a couple of ranges in their tool. Both are in routing databases.

 

One came back and said "valid" and the other "unknown". This says to me Cloudflare does not have full coverage of the databases.

 

And herein is the problem with these sorts of tools. I did not see the word "safety" as quoted in a previous post but that would seem rather emotive.

 

The industry is justifiably cautious here. If customers suddenly can't connect with stuff which is important to them then they get unhappy, and the same folks who use these tools are among the first to share their points of view.

 

 

 

 

Disclaimer: SE here so networking is def _not_ my domain please correct me should I make any mistake. 

 

I see the implementation of RPKI as a good step forward for BGP security, though said “security” can only be achieved on the global level i.e. all ISPs implement RPKI safely. 

 

Re connectivity - similar to what you mentioned above, I think RPKI can be used to validate whether the response is from the real server but a fake response can be coming from a misconfiguration etc, not just hijacking/attack. 

 

Plus not sure if the name and shame approach is particularly helpful. At least Spark and Vodafone don’t seem to care much.

 

Re full coverage of the databases - I used https://github.com/nttgin/BGPalerter and check against https://bgp.tools/as/9790#prefixes I’d say at least for Vocus the prefixes are correct.

MichaelNZ
1392 posts

Uber Geek

Trusted
Integrity Tech Solutions

  #3022732 17-Jan-2023 13:56
Send private message

udmada:

 

I see the implementation of RPKI as a good step forward for BGP security, though said “security” can only be achieved on the global level i.e. all ISPs implement RPKI safely. 

 

Re connectivity - similar to what you mentioned above, I think RPKI can be used to validate whether the response is from the real server but a fake response can be coming from a misconfiguration etc, not just hijacking/attack. 

 

Plus not sure if the name and shame approach is particularly helpful. At least Spark and Vodafone don’t seem to care much.

 

 

I work in the industry so won't be commenting on individual companies policies in so far as they don't affect me.

 

The view from here is somewhat different to what I would do in my home LAN. Most customers want connectivity to the world wide web and they want it fast enough and reliable enough.

 

There have been times when I have deployed stuff which I thought was technically a good idea - even tested - and have had to reverse it because they don't implement well at scale or had other complications.

 

With larger companies this issue is orders of magnitude higher. The tail can't wag the dog.

 

If someone is really interested in this subject they have the option of joining APNIC and getting IP space and an ASN number. Then they can play around with this stuff in their lab.

 

In regards to the internet in general RPKI is slowly being implemented. It still might take awhile and fail to get total buy in. Much like IPv6.




WFH Linux Systems and Networks Engineer in the Internet industry | Specialising in Mikrotik | APNIC member | Open to job offers

1 | 2 
View this topic in a long page with up to 500 replies per page Create new topic





News and reviews »

Air New Zealand Starts AI adoption with OpenAI
Posted 24-Jul-2025 16:00

eero Pro 7 Review
Posted 23-Jul-2025 12:07

BeeStation Plus Review
Posted 21-Jul-2025 14:21

eero Unveils New Wi-Fi 7 Products in New Zealand
Posted 21-Jul-2025 00:01

WiZ Introduces HDMI Sync Box and other Light Devices
Posted 20-Jul-2025 17:32

RedShield Enhances DDoS and Bot Attack Protection
Posted 20-Jul-2025 17:26

Seagate Ships 30TB Drives
Posted 17-Jul-2025 11:24

Oclean AirPump A10 Water Flosser Review
Posted 13-Jul-2025 11:05

Samsung Galaxy Z Fold7: Raising the Bar for Smartphones
Posted 10-Jul-2025 02:01

Samsung Galaxy Z Flip7 Brings New Edge-To-Edge FlexWindow
Posted 10-Jul-2025 02:01

Epson Launches New AM-C550Z WorkForce Enterprise printer
Posted 9-Jul-2025 18:22

Samsung Releases Smart Monitor M9
Posted 9-Jul-2025 17:46

Nearly Half of Older Kiwis Still Write their Passwords on Paper
Posted 9-Jul-2025 08:42

D-Link 4G+ Cat6 Wi-Fi 6 DWR-933M Mobile Hotspot Review
Posted 1-Jul-2025 11:34

Oppo A5 Series Launches With New Levels of Durability
Posted 30-Jun-2025 10:15








Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Updates »

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.







RSS feeds
Main feed
Forums feed
Copyright
©2002-2025 Geekzone®
Site features
Geekzone BI dashboard
Geekzone Badges
Geekzone Status Page

 

Affiliate links
Samsung
AliExpress
Wise
Sharesies
GoodSync
Site Information
Subscribe to Geekzone
Privacy Statement
Forum Usage Guidelines (FUG)
Advertising
Trademark and copyright