Cloudflare BGP safety tool

Forums › New Zealand Broadband › Cloudflare BGP safety tool

Lias

5655 posts

Uber Geek
+1 received by user: 3978

ID Verified

Trusted

Lifetime subscriber

#270019 20-Apr-2020 10:31

Cloudflare have launched a tool to name and shame ISP's and backbones not making efforts to secure BGP by implementing RPKI

https://isbgpsafeyet.com/

I wonder if any NZ ISPs are doing this? I tested Vodafone and they fail.

Your ISP (Vodafone New Zealand Ltd., AS9500) does not implement BGP safely. It should be using RPKI to protect the Internet from BGP hijacks.

I'm a geek, a gamer, a dad, a Quic user, and an IT Professional. I have a full rack home lab, size 15 feet, an epic beard and Asperger's. I'm a bit of a Cypherpunk, who believes information wants to be free and the Net interprets censorship as damage and routes around it. If you use my Quic signup you can also use the code R570394EKGIZ8 for free setup. Opinions are my own and not the views of my employer.

1 | 2

Amanzi
1354 posts

Uber Geek
+1 received by user: 331

ID Verified

Trusted

Lifetime subscriber

#2465900 20-Apr-2020 10:34

Same for Voyager:

Your ISP (Voyager Internet Ltd, AS56030) does not implement BGP safely. It should be using RPKI to protect the Internet from BGP hijacks.

chevrolux

4962 posts

Uber Geek
+1 received by user: 2638
Inactive user

#2465910 20-Apr-2020 10:42

I assume this is just to poke Verizon (i think it was them?) for that mishap last year that? Or maybe that goverment (Iraq/Iran maybe?) that tried blocking Google using BGP but then advertised over their transit links instead..?

Lias

5655 posts

Uber Geek
+1 received by user: 3978

ID Verified

Trusted

Lifetime subscriber

#2465918 20-Apr-2020 10:56

chevrolux:

I assume this is just to poke Verizon (i think it was them?) for that mishap last year that? Or maybe that goverment (Iraq/Iran maybe?) that tried blocking Google using BGP but then advertised over their transit links instead..?

BGP hijacks happen quite a lot I gather, because the system was never designed with security in mind. Plenty of those are simply idiocy but some are malicious.

ShinyChrome

1603 posts

Uber Geek
+1 received by user: 686

ID Verified

Trusted

#2465963 20-Apr-2020 11:40

Same with 2degrees. Any industry talking heads want to commentate on the ease of implementation of RPKI at ISP level?

NickMack

977 posts

Ultimate Geek
+1 received by user: 831

Trusted

In memoriam

Lifetime subscriber

#2466057 20-Apr-2020 12:41

ShinyChrome:

Same with 2degrees. Any industry talking heads want to commentate on the ease of implementation of RPKI at ISP level?

RPKI is one of a number of different controls available to ISPs to protect BGP against attacks. 2degrees doesn’t currently implement RPKI, but is continuously assessing how we best protect the network and our customers.

Nick.

https://nick.mackechnie.co.nz | NZ ISP latency monitoring - https://smokeping.thenet.gen.nz

ShinyChrome

1603 posts

Uber Geek
+1 received by user: 686

ID Verified

Trusted

#2466081 20-Apr-2020 12:56

NickMack:

RPKI is one of a number of different controls available to ISPs to protect BGP against attacks. 2degrees doesn’t currently implement RPKI, but is continuously assessing how we best protect the network and our customers.

Nick.

Thanks Nick, always appreciate the work you guys do behind the scenes at 2degrees to keep the internet juice flowing thick and fast. Its always nice when a company like Cloudflare comes out of the woodwork to champion some esoteric issue, but for us non-network folk, its hard to know whether its as simple as they make it sound without going down the rabbit-hole.

Although as I say that, I'm realizing I should know better, because I can count the number of IT projects I have participated in where it is as simple as it sounds on one tentacle.

Dell

Shop now for Dell laptops and other devices (affiliate link).

boosacnoodle

1269 posts

Uber Geek
+1 received by user: 855

#2466152 20-Apr-2020 13:40

I checked 2degrees Broadband (AS23655), Spark Mobile (AS4771) and my work network as well, they are not implementing it either.

Then again the vast majority of New Zealanders don't even have access to IPv6 so this should really not come as a shock.

gaddman

224 posts

Master Geek
+1 received by user: 98

Trusted

#2466425 20-Apr-2020 16:54

boosacnoodle:

Then again the vast majority of New Zealanders don't even have access to IPv6 so this should really not come as a shock.

If it makes you feel any better, the figure for those without IPv6 access is 75% apparently, so arguably not the vast majority, but the overwhelming majority. We've got our fixed line network sorted, mobile is in the works.

Lias

5655 posts

Uber Geek
+1 received by user: 3978

ID Verified

Trusted

Lifetime subscriber

#2466529 20-Apr-2020 18:36

gaddman:

boosacnoodle:

Then again the vast majority of New Zealanders don't even have access to IPv6 so this should really not come as a shock.

If it makes you feel any better, the figure for those without IPv6 access is 75% apparently, so arguably not the vast majority, but the overwhelming majority. We've got our fixed line network sorted, mobile is in the works.

I'm on Vodafone fixed line, still got no IPV6. Fix me? :-P

KiwiSurfer

1722 posts

Uber Geek
+1 received by user: 993

ID Verified

Lifetime subscriber

#2466537 20-Apr-2020 18:52

Your ISP (VocusGroup NZ, AS9790) does not implement BGP safely. It should be using RPKI to protect the Internet from BGP hijacks.

avaiki

42 posts

Geek
+1 received by user: 17

#2466556 20-Apr-2020 19:24

Just been looking into this after seeing reference here:
https://www.reddit.com/r/ProtonVPN/comments/g49efb/protonvpn_and_border_gateway_protocol/

Which referred to this article from Wired:
https://www.wired.com/story/cloudflare-bgp-routing-safe-yet/

Someone on Reddit pointed to a response from a UK ISP to the Cloudflare claims:
https://www.aa.net.uk/etc/news/bgp-and-rpki/

As raised there, Cloudflare claims seem a bit overblown, given that their own chart shows hardly any services have implemented RPKI yet:
https://isbgpsafeyet.com/

... Journalism is not a crime ...

AliExpress

Shop now on AliExpress (affiliate link).

Lias

5655 posts

Uber Geek
+1 received by user: 3978

ID Verified

Trusted

Lifetime subscriber

#2466618 20-Apr-2020 20:36

avaiki:

Just been looking into this after seeing reference here:
https://www.reddit.com/r/ProtonVPN/comments/g49efb/protonvpn_and_border_gateway_protocol/

Which referred to this article from Wired:
https://www.wired.com/story/cloudflare-bgp-routing-safe-yet/

Someone on Reddit pointed to a response from a UK ISP to the Cloudflare claims:
https://www.aa.net.uk/etc/news/bgp-and-rpki/

As raised there, Cloudflare claims seem a bit overblown, given that their own chart shows hardly any services have implemented RPKI yet:
https://isbgpsafeyet.com/

I appreciate the points AAISP are making, while still disagreeing in general and feeling that they are being just a bit shrewish about being called out on it. RPKI is rapidly turning into IPV6. The relevant people know it should be implemented, the RFC is nearly a decade old, but they just keep filing it in the too hard/too expensive basket.

BarTender

3629 posts

Uber Geek
+1 received by user: 2572

ID Verified

Trusted

Lifetime subscriber

#2466699 20-Apr-2020 22:24

Lias: I appreciate the points AAISP are making, while still disagreeing in general and feeling that they are being just a bit shrewish about being called out on it. RPKI is rapidly turning into IPV6. The relevant people know it should be implemented, the RFC is nearly a decade old, but they just keep filing it in the too hard/too expensive basket.

As someone who worked with a few guys that looked after a fairly sizable BGP peering, and RPKI is in my view far less important than DNSSEC. It's a solution looking for a problem.

Since if it was a serious issue occurring on a daily basis causing the internet to catch fire then engineers would have deployed it.... But it isn't...

IMHO, if folks like Walt Wollny from Hurricane Electric aren't screaming about it... then it's probably not that much of an issue.

sud0

283 posts

Ultimate Geek
+1 received by user: 117

ID Verified

Lifetime subscriber

#2466752 21-Apr-2020 07:00

KiwiSurfer:

Your ISP (VocusGroup NZ, AS9790) does not implement BGP safely. It should be using RPKI to protect the Internet from BGP hijacks.

Lucas

lpossamai.me

MichaelNZ

1594 posts

Uber Geek
+1 received by user: 485

Trusted

Net Trust Ltd

#2478959 7-May-2020 21:54

I have implemented RPKI for our IP addresses and that page says otherwise.

bash-5.0$ whois 103.138.xxx.xxx

[snip]

% Information related to '103.138.130.0/23AS24511'

route: 103.138.130.0/23
origin: AS24511
descr: Net Trust Ltd
mnt-by: MAINT-NETTRUSTLTD-NZ
last-modified: 2019-10-14T02:57:29Z
source: APNIC

% This query was served by the APNIC Whois Service version 1.88.15-46 (WHOIS-NODE2)

bash-5.0$ whois 2405:e40::xxx

[snip]

% Information related to '2405:e40::/32AS24511'

route6: 2405:e40::/32
origin: AS24511
descr: Net Trust Ltd
mnt-by: MAINT-NETTRUSTLTD-NZ
last-modified: 2019-10-14T04:33:38Z
source: APNIC

% This query was served by the APNIC Whois Service version 1.88.15-46 (WHOIS-NODE2)

BarTender:

IMHO, if folks like Walt Wollny from Hurricane Electric aren't screaming about it... then it's probably not that much of an issue.

My take on that would be HE is primarily a transit provider. While they offer IP space, most of their clients (like us) have our own RIR-issued space.

WFH Linux Systems and Networks Engineer in the Internet industry | Specialising in Mikrotik | APNIC member | Open to job offers | ZL2NET

1 | 2