Alun Davies - 2023-05-23 09:00:43
Hi everyone, I'm Alun from the RIPE NCC. This chat panel is meant for discussion ONLY. If you have questions for the speaker and you want the session chair to read it out, please write it in the Q&A window also stating your affiliation. Otherwise, you can ask questions using the microphone icon.
Randy Bush - 2023-05-23 09:04:51
ris collector peers leak internals, e.g. intra-isp p2p links
Emile Aben - 2023-05-23 09:13:06
should we (RIS) stop these?
Randy Bush - 2023-05-23 09:13:35
we should develop clearer policies for RIS & RV collectore peers
Geoff Huston - 2023-05-23 09:16:17
Yes - some RIS and RV peers treat the collector as a customer, some as an external peer and some as an upstream. As far as I am aware there is no way to look at the data and figure out what each collector peer is doing.
Emile Aben - 2023-05-23 09:16:46
Makes sense to me. But I'm scratching my head at how to do that (develop RV+RIS policy around this)
Randy Bush - 2023-05-23 09:16:57
we have tried to sell an internet-draft to solve this
Emile Aben - 2023-05-23 09:17:07
Yup. But it didn't solve it
Geoff Huston - 2023-05-23 09:17:37
yeah - its a ~20 year old issue
Randy Bush - 2023-05-23 09:17:41
Randy Bush - 2023-05-23 09:18:22
that was the second try. many years ago tried a similar i-d. co-author decided to add a million features.
Geoff Huston - 2023-05-23 09:21:40
RFC4384 from 2006
Geoff Huston - 2023-05-23 09:22:39
so many bells. So many whistles.
Geoff Huston - 2023-05-23 09:24:59
I don't get the IPv6 argument - even if you filter on a /32 thats still 4 billion possible route objects - so a /32 is about as impossible to sustain as a /56 filter or a /64!
Randy Bush - 2023-05-23 09:25:01
Randy Bush - 2023-05-23 09:26:06
@geoff wrong rfc
Randy Bush - 2023-05-23 09:26:56
i started that rfc but dropped out as the complexity water rose
Geoff Huston - 2023-05-23 09:28:20
yep - the RFC is overly ornate and I did not think anyone used it
Randy Bush - 2023-05-23 09:29:07
the usual "raise hand" seems unavailable in this instantiation of meetecho
Randy Bush - 2023-05-23 09:29:34
maybe that is a good thing :)
Emile Aben - 2023-05-23 09:29:59
You can type questions at the '?' in the meetecho interface
Alun Davies - 2023-05-23 09:30:32
Do you have a question, Randy? You can drop it in the Q&A tab.
Alun Davies - 2023-05-23 09:30:51
(oh yeah - what Emile said ;) )
Antonio Prado - 2023-05-23 09:39:05
@emile, my fault for not reading out your questions
Emile Aben - 2023-05-23 09:40:46
No worries, I will have more questions after this talk :)
Michael Richardson - 2023-05-23 09:43:14
I wonder if we can run this algorithm for every AS, and as a result, find places where we need more RCs.
Antonio Prado - 2023-05-23 09:44:54
Michael, do you want to ask this question to the presenter?
Michael Richardson - 2023-05-23 09:45:32
I'm not sure yet, he might yet answer it.
Geoff Huston - 2023-05-23 09:48:59
If the attacker uses AS prepending why not just simply prepend with the AS of the route collector(s)?
Emile Aben - 2023-05-23 09:49:49
@michael: We would need more peers, right? not route collectors per se (our RIS multihop collectors collect from peers all over the planet)
Geoff Huston - 2023-05-23 09:53:15
@emile - yes, you would need around 10,000 peers, which is the number of ASes in IPv4 that provide visible transit. A challenge in many dimensions.
Emile Aben - 2023-05-23 09:54:53
10k for full mitigation, but how about making it at least a few magnitudes harder to do this if you add a few in strategic places
Michael Richardson - 2023-05-23 09:55:06
@emile, point taken. So I am using the wrong terminology: do we need more observation points. Your point is that we need to watch every single peer, which certainly would solve the problem. So can we get away with less?
Emile Aben - 2023-05-23 09:55:25
Antonio Prado - 2023-05-23 09:55:35
are there questions for Alexandros?
Emile Aben - 2023-05-23 09:56:56
I had not pressed enter yet on mine, now i have
Michael Richardson - 2023-05-23 09:59:10
I wonder if https://en.wikipedia.org/wiki/Broken_windows_theory applies here.
Michael Richardson - 2023-05-23 10:00:26
(although whether it really works is subject to debate)
Geoff Huston - 2023-05-23 10:01:15
I don;t think so - I was struck by a presentation some 3 years ago where the attack lasted for a couple of hours for the data exfiltration to happen. The attackers had absolutely no concern about the footprints they left behind ads the attack was over in short order. The question in my mind is why bother with stealth if the attack is short and sharp?
Antonio Prado - 2023-05-23 10:28:32
@randy, do you have a question?
Randy Bush - 2023-05-23 10:28:54
yup. or more of a clarification
Randy Bush - 2023-05-23 10:29:07
but not critical
Antonio Prado - 2023-05-23 10:29:47
ok, do you want to write on the Q&A section?
Randy Bush - 2023-05-23 10:30:05
time is out.
Antonio Prado - 2023-05-23 10:30:19