Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


ForumsNew Zealand BroadbandCloudflare BGP safety tool
Lias

5227 posts

Uber Geek

ID Verified
Trusted
Lifetime subscriber

#270019 20-Apr-2020 10:31
Send private message

Cloudflare have launched a tool to name and shame ISP's and backbones not making efforts to secure BGP by implementing RPKI

 

https://isbgpsafeyet.com/

 

I wonder if any NZ ISPs are doing this? I tested Vodafone and they fail.

 

Your ISP (Vodafone New Zealand Ltd., AS9500) does not implement BGP safely. It should be using RPKI to protect the Internet from BGP hijacks.

 

 




I'm a geek, a gamer, a dad and an IT Professional. I have a full rack home lab, size 15 feet, an epic beard and Asperger's. I'm a bit of a Cypherpunk, who believes information wants to be free and the Net interprets censorship as damage and routes around it.

View this topic in a long page with up to 500 replies per page Create new topic
 1 | 2
amanzi
Amanzi
1149 posts

Uber Geek

ID Verified
Trusted
Lifetime subscriber

  #2465900 20-Apr-2020 10:34
Send private message

Same for Voyager:

 

Your ISP (Voyager Internet Ltd, AS56030) does not implement BGP safely. It should be using RPKI to protect the Internet from BGP hijacks. 

 
 
 
 

Protect your online activity with NordVPN (affiliate link).
chevrolux
4962 posts

Uber Geek
Inactive user


  #2465910 20-Apr-2020 10:42
Send private message

I assume this is just to poke Verizon (i think it was them?) for that mishap last year that? Or maybe that goverment (Iraq/Iran maybe?) that tried blocking Google using BGP but then advertised over their transit links instead..?

Lias

5227 posts

Uber Geek

ID Verified
Trusted
Lifetime subscriber

  #2465918 20-Apr-2020 10:56
Send private message

chevrolux:

 

I assume this is just to poke Verizon (i think it was them?) for that mishap last year that? Or maybe that goverment (Iraq/Iran maybe?) that tried blocking Google using BGP but then advertised over their transit links instead..?

 

 

BGP hijacks happen quite a lot I gather, because the system was never designed with security in mind. Plenty of those are simply idiocy but some are malicious. 




I'm a geek, a gamer, a dad and an IT Professional. I have a full rack home lab, size 15 feet, an epic beard and Asperger's. I'm a bit of a Cypherpunk, who believes information wants to be free and the Net interprets censorship as damage and routes around it.



ShinyChrome
SNNAAAAAAKKKKEEEEE
1505 posts

Uber Geek

ID Verified
Trusted
Subscriber

  #2465963 20-Apr-2020 11:40
Send private message

Same with 2degrees. Any industry talking heads want to commentate on the ease of implementation of RPKI at ISP level?

NickMack
903 posts

Ultimate Geek

Trusted
Lifetime subscriber

  #2466057 20-Apr-2020 12:41
Send private message

ShinyChrome:

 

Same with 2degrees. Any industry talking heads want to commentate on the ease of implementation of RPKI at ISP level?

 

 

RPKI is one of a number of different controls available to ISPs to protect BGP against attacks. 2degrees doesn’t currently implement RPKI, but is continuously assessing how we best protect the network and our customers.

 

Nick.




https://nick.mackechnie.co.nz | NZ ISP latency monitoring - https://smokeping.thenet.gen.nz 

ShinyChrome
SNNAAAAAAKKKKEEEEE
1505 posts

Uber Geek

ID Verified
Trusted
Subscriber

  #2466081 20-Apr-2020 12:56
Send private message

NickMack:

 

RPKI is one of a number of different controls available to ISPs to protect BGP against attacks. 2degrees doesn’t currently implement RPKI, but is continuously assessing how we best protect the network and our customers.

 

Nick.

 

 

Thanks Nick, always appreciate the work you guys do behind the scenes at 2degrees to keep the internet juice flowing thick and fast. Its always nice when a company like Cloudflare comes out of the woodwork to champion some esoteric issue, but for us non-network folk, its hard to know whether its as simple as they make it sound without going down the rabbit-hole.

 

Although as I say that, I'm realizing I should know better, because I can count the number of IT projects I have participated in where it is as simple as it sounds on one tentacle.

boosacnoodle
651 posts

Ultimate Geek


  #2466152 20-Apr-2020 13:40
Send private message

I checked 2degrees Broadband (AS23655), Spark Mobile (AS4771) and my work network as well, they are not implementing it either.

 

Then again the vast majority of New Zealanders don't even have access to IPv6 so this should really not come as a shock.



gaddman
224 posts

Master Geek

Trusted

  #2466425 20-Apr-2020 16:54
Send private message

boosacnoodle:

 

Then again the vast majority of New Zealanders don't even have access to IPv6 so this should really not come as a shock.

 

 

If it makes you feel any better, the figure for those without IPv6 access is 75% apparently, so arguably not the vast majority, but the overwhelming majority. We've got our fixed line network sorted, mobile is in the works.

Lias

5227 posts

Uber Geek

ID Verified
Trusted
Lifetime subscriber

  #2466529 20-Apr-2020 18:36
Send private message

gaddman:

 

boosacnoodle:

 

Then again the vast majority of New Zealanders don't even have access to IPv6 so this should really not come as a shock.

 

 

If it makes you feel any better, the figure for those without IPv6 access is 75% apparently, so arguably not the vast majority, but the overwhelming majority. We've got our fixed line network sorted, mobile is in the works.

 

 

I'm on Vodafone fixed line, still got no IPV6. Fix me? :-P

 

 

 

 




I'm a geek, a gamer, a dad and an IT Professional. I have a full rack home lab, size 15 feet, an epic beard and Asperger's. I'm a bit of a Cypherpunk, who believes information wants to be free and the Net interprets censorship as damage and routes around it.

KiwiSurfer
1108 posts

Uber Geek

ID Verified
Lifetime subscriber

  #2466537 20-Apr-2020 18:52
Send private message

Your ISP (VocusGroup NZ, AS9790) does not implement BGP safely. It should be using RPKI to protect the Internet from BGP hijacks.

avaiki
42 posts

Geek


  #2466556 20-Apr-2020 19:24
Send private message

Just been looking into this after seeing reference here:
https://www.reddit.com/r/ProtonVPN/comments/g49efb/protonvpn_and_border_gateway_protocol/

 

Which referred to this article from Wired:
https://www.wired.com/story/cloudflare-bgp-routing-safe-yet/

 

Someone on Reddit pointed to a response from a UK ISP to the Cloudflare claims:
https://www.aa.net.uk/etc/news/bgp-and-rpki/

 

As raised there, Cloudflare claims seem a bit overblown, given that their own chart shows hardly any services have implemented RPKI yet:
https://isbgpsafeyet.com/

 

 

Lias

5227 posts

Uber Geek

ID Verified
Trusted
Lifetime subscriber

  #2466618 20-Apr-2020 20:36
Send private message

avaiki:

 

Just been looking into this after seeing reference here:
https://www.reddit.com/r/ProtonVPN/comments/g49efb/protonvpn_and_border_gateway_protocol/

 

Which referred to this article from Wired:
https://www.wired.com/story/cloudflare-bgp-routing-safe-yet/

 

Someone on Reddit pointed to a response from a UK ISP to the Cloudflare claims:
https://www.aa.net.uk/etc/news/bgp-and-rpki/

 

As raised there, Cloudflare claims seem a bit overblown, given that their own chart shows hardly any services have implemented RPKI yet:
https://isbgpsafeyet.com/

 

 

I appreciate the points AAISP are making, while still disagreeing in general and feeling that they are being just a bit shrewish about being called out on it. RPKI is rapidly turning into IPV6. The relevant people know it should be implemented, the RFC is nearly a decade old, but they just keep filing it in the too hard/too expensive basket.  




I'm a geek, a gamer, a dad and an IT Professional. I have a full rack home lab, size 15 feet, an epic beard and Asperger's. I'm a bit of a Cypherpunk, who believes information wants to be free and the Net interprets censorship as damage and routes around it.

BarTender
3530 posts

Uber Geek

ID Verified
Trusted
Lifetime subscriber

  #2466699 20-Apr-2020 22:24
Send private message

Lias: I appreciate the points AAISP are making, while still disagreeing in general and feeling that they are being just a bit shrewish about being called out on it. RPKI is rapidly turning into IPV6. The relevant people know it should be implemented, the RFC is nearly a decade old, but they just keep filing it in the too hard/too expensive basket.  

 

As someone who worked with a few guys that looked after a fairly sizable BGP peering, and RPKI is in my view far less important than DNSSEC. It's a solution looking for a problem.

 

Since if it was a serious issue occurring on a daily basis causing the internet to catch fire then engineers would have deployed it.... But it isn't...

 

IMHO, if folks like Walt Wollny from Hurricane Electric aren't screaming about it... then it's probably not that much of an issue.

 




and


sud0
267 posts

Ultimate Geek

ID Verified
Lifetime subscriber

  #2466752 21-Apr-2020 07:00
Send private message

KiwiSurfer:

 

Your ISP (VocusGroup NZ, AS9790) does not implement BGP safely. It should be using RPKI to protect the Internet from BGP hijacks.

 

 

 

 

+1




Lucas

 

lpossamai.me

MichaelNZ
1227 posts

Uber Geek

Trusted
Integrity Tech Solutions

  #2478959 7-May-2020 21:54
Send private message

I have implemented RPKI for our IP addresses and that page says otherwise.

 

bash-5.0$ whois 103.138.xxx.xxx

 

[snip]

 

% Information related to '103.138.130.0/23AS24511'

 

route:          103.138.130.0/23
origin:         AS24511
descr:          Net Trust Ltd
mnt-by:         MAINT-NETTRUSTLTD-NZ
last-modified:  2019-10-14T02:57:29Z
source:         APNIC

 

% This query was served by the APNIC Whois Service version 1.88.15-46 (WHOIS-NODE2)

 

bash-5.0$ whois 2405:e40::xxx

 

[snip]

 

% Information related to '2405:e40::/32AS24511'

 

route6:         2405:e40::/32
origin:         AS24511
descr:          Net Trust Ltd
mnt-by:         MAINT-NETTRUSTLTD-NZ
last-modified:  2019-10-14T04:33:38Z
source:         APNIC

 

% This query was served by the APNIC Whois Service version 1.88.15-46 (WHOIS-NODE2)

 

BarTender:

 

IMHO, if folks like Walt Wollny from Hurricane Electric aren't screaming about it... then it's probably not that much of an issue.

 

 

My take on that would be HE is primarily a transit provider. While they offer IP space, most of their clients (like us) have our own RIR-issued space.

 1 | 2
View this topic in a long page with up to 500 replies per page Create new topic





News and reviews »

Samsung Announces Galaxy AI
Posted 28-Nov-2023 14:48

Epson Launches EH-LS650 Ultra Short Throw Smart Streaming Laser Projector
Posted 28-Nov-2023 14:38

Fitbit Charge 6 Review 
Posted 27-Nov-2023 16:21

Cisco Launches New Research Highlighting Gap in Preparedness for AI
Posted 23-Nov-2023 15:50

Seagate Takes Block Storage System to New Heights Reaching 2.5 PB
Posted 23-Nov-2023 15:45

Seagate Nytro 4350 NVMe SSD Delivers Consistent Application Performance and High QoS to Data Centers
Posted 23-Nov-2023 15:38

Amazon Fire TV Stick 4k Max (2nd Generation) Review
Posted 14-Nov-2023 16:17

Over half of New Zealand adults surveyed concerned about AI shopping scams
Posted 3-Nov-2023 10:42

Super Mario Bros. Wonder Launches on Nintendo Switch
Posted 24-Oct-2023 10:56

Google Releases Nest WiFi Pro in New Zealand
Posted 24-Oct-2023 10:18

Amazon Introduces All-New Echo Pop in New Zealand
Posted 23-Oct-2023 19:49

HyperX Unveils Their First Webcam and Audio Mixer Plus
Posted 20-Oct-2023 11:47

Seagate Introduces Exos 24TB Hard Drives for Hyperscalers and Enterprise Data Centres
Posted 20-Oct-2023 11:43

Dyson Zone Noise-Cancelling Headphones Comes to New Zealand
Posted 20-Oct-2023 11:33

The OPPO Find N3 Launches Globally Available in New Zealand Mid-November
Posted 20-Oct-2023 11:06








Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Updates »

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.







GoodSync is the easiest file sync and backup for Windows and Mac






RSS feeds
Main feed
Forums feed
Copyright
©2002-2023 Geekzone®
Site features
Geekzone BI dashboard
Geekzone Badges
Affiliate links
Mighty Ape
Sharesies
Site Information
Subscribe to Geekzone
Privacy Statement
Forum Usage Guidelines (FUG)
Advertising
Trademark and copyright


This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.