[routing-wg] /24 prefix "hijackability" metric (defining "better than avg AS")

Sandra Murphy wrote:
>> On Tue, Aug 14, 2018 at 07:58:00PM +0000, nusenu wrote:
>>> I'm currently estimating how "vulnerable" certain IP addresses are to
>>> BGP hijacking.
>>>
>>> To do that, I put them into different categories (multiple can apply):
>>>
>>> a) RPKI validity state is "NotFound" (no ROA) and IP located in a prefix shorter than /24 (IPv4)  or /48 (IPv6)
>>> b) Valid ROA but weak maxlength
>>> c) Valid ROA with proper maxlength
> 
> Are “weak” and “proper” defined in terms of presence or absence in the global routing update database?

I probably should have used the same wording as the related Internet-Draft uses:
weak: a "loose ROA"
proper: a "minimal ROA" 
as described in:
https://datatracker.ietf.org/doc/draft-ietf-sidrops-rpkimaxlen


> You say ‘estimating how “vulnerable”’, so this is an ordering, right?  (a) is most vulnerable?

correct, my assumption is that (a) is most vulnerable.

> I’m wondering how this vulnerability order applies to IRR route objects as well.

I also looked at IRR coverage [1] but I only considered RIPE's IRR because most prefixes
I analyzed were from the RIPE region and RIPE has the best data quality/authorization checks.

[1] Figure 6: https://medium.com/@nusenu/how-vulnerable-is-the-tor-network-to-bgp-hijacking-attacks-56d3b2ebfd92

kind regards,
nusenu


-- 
https://twitter.com/nusenu_
https://mastodon.social/@nusenu

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ripe.net/ripe/mail/archives/routing-wg/attachments/20180925/2775b166/attachment.sig>