[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-relays] 9 routing security recommendations for relay operators



(mostly a copy paste from [0])

1. Monitor your relay’s BGP prefix for suspicious BGP activity and share alerts with 
this mailing list.
The easiest way to do so is to subscribe to your prefixes using https://bgpmon.net/.
You should practically get zero alerts.

2. Check the following properties of the prefixes you use (ideally even before ordering servers):

    prefix length and IRR state [1]
    RPKI state [2] 

3. Ask your ISP/IP holder to create ROAs [4] for the prefixes you use, if the ROA is currently missing.

4. Ensure the ROA creator is aware of the risks of the maxlength attribute [3] 
and uses it accordingly (in the best case not at all)

5. Monitor the RPKI validity state of your prefixes (can also be done with bgpmon)

6. Ask your ISP to announce the IP space of your relays in /24 prefixes (/48 for IPv6) 
to avoid more-specific prefix hijacks (this makes sense even if you have ROAs in place due to the low ROV coverage)

7. If your relay uses IP addresses from the RIPE region: 
ask your provider to create route(6) objects matching the announcements if they are not present yet. 
You can use RIPEstat’s prefix routing consistency widget [1] to check the current state
 (the “In RIS” and “RIPE IRR” columns should both say “yes”).

8. Be aware that “LEGACY” or “ERX” IP space might be less likely to get ROAs by your ISP

9. Enable IPv6 on your relays


[0] https://medium.com/@nusenu/how-vulnerable-is-the-tor-network-to-bgp-hijacking-attacks-56d3b2ebfd92
[1] https://stat.ripe.net/widget/prefix-routing-consistency
[2] https://rpki-validator.ripe.net/bgp-preview
[3] https://www.youtube.com/watch?v=I3Owb0u8Wuk
[4] https://www.ripe.net/manage-ips-and-asns/resource-management/certification/resource-certification-roa-management
https://www.arin.net/resources/rpki/using_rpki.html

-- 
https://twitter.com/nusenu_
https://mastodon.social/@nusenu

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays