[tor-relays] 9 routing security recommendations for relay operators

nusenu nusenu-lists at riseup.net
Tue Sep 4 14:52:00 UTC 2018 

(mostly a copy paste from [0])

1. Monitor your relay’s BGP prefix for suspicious BGP activity and share alerts with 
this mailing list.
The easiest way to do so is to subscribe to your prefixes using https://bgpmon.net/.
You should practically get zero alerts.

2. Check the following properties of the prefixes you use (ideally even before ordering servers):

    prefix length and IRR state [1]
    RPKI state [2] 

3. Ask your ISP/IP holder to create ROAs [4] for the prefixes you use, if the ROA is currently missing.

4. Ensure the ROA creator is aware of the risks of the maxlength attribute [3] 
and uses it accordingly (in the best case not at all)

5. Monitor the RPKI validity state of your prefixes (can also be done with bgpmon)

6. Ask your ISP to announce the IP space of your relays in /24 prefixes (/48 for IPv6) 
to avoid more-specific prefix hijacks (this makes sense even if you have ROAs in place due to the low ROV coverage)

7. If your relay uses IP addresses from the RIPE region: 
ask your provider to create route(6) objects matching the announcements if they are not present yet. 
You can use RIPEstat’s prefix routing consistency widget [1] to check the current state
 (the “In RIS” and “RIPE IRR” columns should both say “yes”).

8. Be aware that “LEGACY” or “ERX” IP space might be less likely to get ROAs by your ISP

9. Enable IPv6 on your relays


[0] https://medium.com/@nusenu/how-vulnerable-is-the-tor-network-to-bgp-hijacking-attacks-56d3b2ebfd92
[1] https://stat.ripe.net/widget/prefix-routing-consistency
[2] https://rpki-validator.ripe.net/bgp-preview
[3] https://www.youtube.com/watch?v=I3Owb0u8Wuk
[4] https://www.ripe.net/manage-ips-and-asns/resource-management/certification/resource-certification-roa-management
https://www.arin.net/resources/rpki/using_rpki.html

-- 
https://twitter.com/nusenu_
https://mastodon.social/@nusenu

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20180904/278b976c/attachment-0001.sig>

More information about the tor-relays mailing list