Hi,
I measured the adoption of RPKI ROAs that help with routing security and some other properties for the >3k BGP prefixes that make up the Tor network.
https://medium.com/@nusenu/how-vulnerable-is-the-tor-network-to-bgp-hijackin...
You might want to jup directly to section "Recommendations for Tor Relay Operators". (I could paste it here but then all the URLs would be lost)
Since OVH SAS and DO do not deploy ROAs at all yet:
If you are an OVH SAS or Digital Ocean customer (directly or indirectly just on the same AS) it would be great if you could ask your customer support when they are planing to deploy RPKI ROAs (like other big hosters already did).
thanks, nusenu
If you are an OVH SAS or Digital Ocean customer (directly or indirectly just on the same AS) it would be great if you could ask your customer support when they are planing to deploy RPKI ROAs (like other big hosters already did).
Do you have a template email that can be sent? I will lodge a helpdesk ticket here in AU for my service (OVH) - Still trying to get the IPv6 working... SIGH.
Paul
137CF322859E400455E457DB920F65FFDD222CDF
Paul Templeton:
If you are an OVH SAS or Digital Ocean customer (directly or indirectly just on the same AS) it would be great if you could ask your customer support when they are planing to deploy RPKI ROAs (like other big hosters already did).
Do you have a template email that can be sent? I will lodge a helpdesk ticket here in AU for my service (OVH)
thanks for asking them.
OVH customers could send something like:
" Since other big hosting companies like online.net and hetzner.com already deployed technologies (RPKI ROAs [1]) that help reduce the risk of BGP hijacking I looked into your BGP prefixes that contain my server and noticed that you do not make use of these security mechanisms to protect the traffic of my server(s).
Is there a specific reason why ou did not create RPKI ROAs for your BGP prefixes yet? Can you share your timeline for when you are planing to create ROAs to help protect my servers' traffic from being hijacked?
[1] https://en.wikipedia.org/wiki/Resource_Public_Key_Infrastructure "
Ticket number 165858113 created. We will wait for a response and I will post it.
:-) Paul
Paul Templeton:
Ticket number 165858113 created. We will wait for a response and I will post it.
:-) Paul
OVH Ticket Number 6993458396 created.
thanks appreciated, looking forward to the answers.
Here’s OVH’s non-response:
Start OVH
Thank you for contacting OVH with regards to BGP hijacking; we apologize for the delay in response.
From the current status of discussion on the subject, it appears implementing ROA / RPKI is still in development but not a priority; I am afraid at the moment we have no information on a possible ETA for it.
The goal would be to eventually implement BGPSec , as ROA / RPKI only verifies the origin of an IP address regarding the AS which is announcing it.
At the moment, what we propose to you is to ensure you have ways of detecting BGP hijacks on your services; for instance you may search online for "how to detect BGP hijacking on my service".
Shall you have any doubts or concerns, please let us know.
For any other questions or concerns, please feel free to contact us through a support ticket or through our toll-free line at 1-855-684-5463. We’re here 24/7 to help you!
We thank you again for choosing OVH, <<<<STOP OVH
I’m still mulling how to respond.
On Aug 26, 2018, at 10:30 AM, nusenu nusenu-lists@riseup.net wrote:
Signed PGP part
Paul Templeton:
Ticket number 165858113 created. We will wait for a response and I will post it.
:-) Paul
OVH Ticket Number 6993458396 created.
thanks appreciated, looking forward to the answers.
-- https://twitter.com/nusenu_ https://mastodon.social/@nusenu
OVH response so far.
"
Thank you for contacting OVH regarding your concern about BGP hijacking.
We first would like to apologize for the delayed response! We are experiencing an unusual amount of requests at this moment. This is why the response time is longer than usual.
That being said, I have forwarded this question to our specialists and will update this ticket once I've received a response.
We thank you for your patience.
For any other questions or concerns, please feel free to contact us through a support ticket or through our toll-free line at 1-855-684-5463. We’re here 24/7 to help you!
We thank you again for choosing OVH, "
Paul
OVH Final responce.
I've been informed that RPKI ROA is indeed a very nice security mechanism for BGP and prevent BGP hijacking and we totally agree that the popularity grew since the recent months. We definitely will consider this solution as BGP hijacking protection.
For now, we do not have specific ETA for this implementation, however, it will be looked into.
Interesting info for statistics: https://rpki-monitor.antd.nist.gov
For any other questions or concerns, please feel free to contact us through a support ticket or through our toll-free line at 1-855-684-5463. We’re here 24/7 to help you!
We thank you again for choosing OVH,
tor-relays@lists.torproject.org
-
Conrad Rockenhaus -
nusenu -
Paul Templeton