Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.




4140 posts

Uber Geek

Trusted
Lifetime subscriber

#270019 20-Apr-2020 10:31
Send private message quote this post

Cloudflare have launched a tool to name and shame ISP's and backbones not making efforts to secure BGP by implementing RPKI

 

https://isbgpsafeyet.com/

 

I wonder if any NZ ISPs are doing this? I tested Vodafone and they fail.

 

Your ISP (Vodafone New Zealand Ltd., AS9500) does not implement BGP safely. It should be using RPKI to protect the Internet from BGP hijacks.

 

 





Create new topic
963 posts

Ultimate Geek

Trusted

  #2465900 20-Apr-2020 10:34
Send private message quote this post

Same for Voyager:

 

Your ISP (Voyager Internet Ltd, AS56030) does not implement BGP safely. It should be using RPKI to protect the Internet from BGP hijacks. 


4546 posts

Uber Geek

Trusted

  #2465910 20-Apr-2020 10:42
Send private message quote this post

I assume this is just to poke Verizon (i think it was them?) for that mishap last year that? Or maybe that goverment (Iraq/Iran maybe?) that tried blocking Google using BGP but then advertised over their transit links instead..?


 
 
 
 




4140 posts

Uber Geek

Trusted
Lifetime subscriber

  #2465918 20-Apr-2020 10:56
Send private message quote this post

chevrolux:

 

I assume this is just to poke Verizon (i think it was them?) for that mishap last year that? Or maybe that goverment (Iraq/Iran maybe?) that tried blocking Google using BGP but then advertised over their transit links instead..?

 

 

BGP hijacks happen quite a lot I gather, because the system was never designed with security in mind. Plenty of those are simply idiocy but some are malicious. 





886 posts

Ultimate Geek

Trusted
Subscriber

  #2465963 20-Apr-2020 11:40
Send private message quote this post

Same with 2degrees. Any industry talking heads want to commentate on the ease of implementation of RPKI at ISP level?


681 posts

Ultimate Geek

Trusted
2degrees

  #2466057 20-Apr-2020 12:41
Send private message quote this post

ShinyChrome:

 

Same with 2degrees. Any industry talking heads want to commentate on the ease of implementation of RPKI at ISP level?

 

 

RPKI is one of a number of different controls available to ISPs to protect BGP against attacks. 2degrees doesn’t currently implement RPKI, but is continuously assessing how we best protect the network and our customers.

 

Nick.





886 posts

Ultimate Geek

Trusted
Subscriber

  #2466081 20-Apr-2020 12:56
Send private message quote this post

NickMack:

 

RPKI is one of a number of different controls available to ISPs to protect BGP against attacks. 2degrees doesn’t currently implement RPKI, but is continuously assessing how we best protect the network and our customers.

 

Nick.

 

 

Thanks Nick, always appreciate the work you guys do behind the scenes at 2degrees to keep the internet juice flowing thick and fast. Its always nice when a company like Cloudflare comes out of the woodwork to champion some esoteric issue, but for us non-network folk, its hard to know whether its as simple as they make it sound without going down the rabbit-hole.

 

Although as I say that, I'm realizing I should know better, because I can count the number of IT projects I have participated in where it is as simple as it sounds on one tentacle.


231 posts

Master Geek


  #2466152 20-Apr-2020 13:40
Send private message quote this post

I checked 2degrees Broadband (AS23655), Spark Mobile (AS4771) and my work network as well, they are not implementing it either.

 

Then again the vast majority of New Zealanders don't even have access to IPv6 so this should really not come as a shock.


 
 
 
 


215 posts

Master Geek

Trusted

  #2466425 20-Apr-2020 16:54
Send private message quote this post

boosacnoodle:

 

Then again the vast majority of New Zealanders don't even have access to IPv6 so this should really not come as a shock.

 

 

If it makes you feel any better, the figure for those without IPv6 access is 75% apparently, so arguably not the vast majority, but the overwhelming majority. We've got our fixed line network sorted, mobile is in the works.




4140 posts

Uber Geek

Trusted
Lifetime subscriber

  #2466529 20-Apr-2020 18:36
Send private message quote this post

gaddman:

 

boosacnoodle:

 

Then again the vast majority of New Zealanders don't even have access to IPv6 so this should really not come as a shock.

 

 

If it makes you feel any better, the figure for those without IPv6 access is 75% apparently, so arguably not the vast majority, but the overwhelming majority. We've got our fixed line network sorted, mobile is in the works.

 

 

I'm on Vodafone fixed line, still got no IPV6. Fix me? :-P

 

 

 

 





626 posts

Ultimate Geek

Lifetime subscriber

  #2466537 20-Apr-2020 18:52
Send private message quote this post

Your ISP (VocusGroup NZ, AS9790) does not implement BGP safely. It should be using RPKI to protect the Internet from BGP hijacks.


39 posts

Geek


  #2466556 20-Apr-2020 19:24
Send private message quote this post

Just been looking into this after seeing reference here:
https://www.reddit.com/r/ProtonVPN/comments/g49efb/protonvpn_and_border_gateway_protocol/

 

Which referred to this article from Wired:
https://www.wired.com/story/cloudflare-bgp-routing-safe-yet/

 

Someone on Reddit pointed to a response from a UK ISP to the Cloudflare claims:
https://www.aa.net.uk/etc/news/bgp-and-rpki/

 

As raised there, Cloudflare claims seem a bit overblown, given that their own chart shows hardly any services have implemented RPKI yet:
https://isbgpsafeyet.com/

 

 




4140 posts

Uber Geek

Trusted
Lifetime subscriber

  #2466618 20-Apr-2020 20:36
Send private message quote this post

avaiki:

 

Just been looking into this after seeing reference here:
https://www.reddit.com/r/ProtonVPN/comments/g49efb/protonvpn_and_border_gateway_protocol/

 

Which referred to this article from Wired:
https://www.wired.com/story/cloudflare-bgp-routing-safe-yet/

 

Someone on Reddit pointed to a response from a UK ISP to the Cloudflare claims:
https://www.aa.net.uk/etc/news/bgp-and-rpki/

 

As raised there, Cloudflare claims seem a bit overblown, given that their own chart shows hardly any services have implemented RPKI yet:
https://isbgpsafeyet.com/

 

 

I appreciate the points AAISP are making, while still disagreeing in general and feeling that they are being just a bit shrewish about being called out on it. RPKI is rapidly turning into IPV6. The relevant people know it should be implemented, the RFC is nearly a decade old, but they just keep filing it in the too hard/too expensive basket.  





3133 posts

Uber Geek

Trusted
Lifetime subscriber

  #2466699 20-Apr-2020 22:24
Send private message quote this post

Lias: I appreciate the points AAISP are making, while still disagreeing in general and feeling that they are being just a bit shrewish about being called out on it. RPKI is rapidly turning into IPV6. The relevant people know it should be implemented, the RFC is nearly a decade old, but they just keep filing it in the too hard/too expensive basket.  

 

As someone who worked with a few guys that looked after a fairly sizable BGP peering, and RPKI is in my view far less important than DNSSEC. It's a solution looking for a problem.

 

Since if it was a serious issue occurring on a daily basis causing the internet to catch fire then engineers would have deployed it.... But it isn't...

 

IMHO, if folks like Walt Wollny from Hurricane Electric aren't screaming about it... then it's probably not that much of an issue.

 





and


80 posts

Master Geek

Subscriber

  #2466752 21-Apr-2020 07:00
Send private message quote this post

KiwiSurfer:

 

Your ISP (VocusGroup NZ, AS9790) does not implement BGP safely. It should be using RPKI to protect the Internet from BGP hijacks.

 

 

 

 

+1


Linux Systems Admin
1174 posts

Uber Geek

Trusted
Integrity Tech Solutions
Subscriber

  #2478959 7-May-2020 21:54
Send private message quote this post

I have implemented RPKI for our IP addresses and that page says otherwise.

 

bash-5.0$ whois 103.138.xxx.xxx

 

[snip]

 

% Information related to '103.138.130.0/23AS24511'

 

route:          103.138.130.0/23
origin:         AS24511
descr:          Net Trust Ltd
mnt-by:         MAINT-NETTRUSTLTD-NZ
last-modified:  2019-10-14T02:57:29Z
source:         APNIC

 

% This query was served by the APNIC Whois Service version 1.88.15-46 (WHOIS-NODE2)

 

bash-5.0$ whois 2405:e40::xxx

 

[snip]

 

% Information related to '2405:e40::/32AS24511'

 

route6:         2405:e40::/32
origin:         AS24511
descr:          Net Trust Ltd
mnt-by:         MAINT-NETTRUSTLTD-NZ
last-modified:  2019-10-14T04:33:38Z
source:         APNIC

 

% This query was served by the APNIC Whois Service version 1.88.15-46 (WHOIS-NODE2)

 

BarTender:

 

IMHO, if folks like Walt Wollny from Hurricane Electric aren't screaming about it... then it's probably not that much of an issue.

 

 

My take on that would be HE is primarily a transit provider. While they offer IP space, most of their clients (like us) have our own RIR-issued space.





Integrity Tech Solutions @ Norsewood, New Zealand


Create new topic





Twitter and LinkedIn »



Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

Soul Machines joins forces with the World Health Organization
Posted 13-Jul-2020 18:00


Chorus completes the build and commissioning of two new core Ethernet switches
Posted 8-Jul-2020 09:48


National Institute for Health Innovation develops treatment app for gambling
Posted 6-Jul-2020 16:25


Nokia 2.3 to be available in New Zealand
Posted 6-Jul-2020 12:30


Menulog change colours as parent company merges with Dutch food delivery service
Posted 2-Jul-2020 07:53


Techweek2020 goes digital to make it easier for Kiwis to connect and learn
Posted 2-Jul-2020 07:48


Catalyst Cloud launches new Solutions Hub to support their kiwi Partners and Customers
Posted 2-Jul-2020 07:44


Microsoft to help New Zealand job seekers acquire new digital skills needed for the COVID-19 economy
Posted 2-Jul-2020 07:41


Hewlett Packard Enterprise introduces new HPE GreenLake cloud services
Posted 24-Jun-2020 08:07


New cloud data protection services from Hewlett Packard Enterprise
Posted 24-Jun-2020 07:58


Hewlett Packard Enterprise unveils HPE Ezmeral, new software portfolio and brand
Posted 24-Jun-2020 07:10


Apple reveals new developer technologies to foster the next generation of apps
Posted 23-Jun-2020 15:30


Poly introduces solutions for Microsoft Teams Rooms
Posted 23-Jun-2020 15:14


Lenovo launches new ThinkPad P Series mobile workstations
Posted 23-Jun-2020 09:17


Lenovo brings Linux certification to ThinkPad and ThinkStation Workstation portfolio
Posted 23-Jun-2020 08:56



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Support Geekzone »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.