RPKI and offline routes
Matthias Waehlisch
m.waehlisch at fu-berlin.de
Tue Jun 14 18:39:19 UTC 2016
Hi,
yes.
In this context the discussion at IETF92 might be interesting:
https://www.ietf.org/proceedings/92/minutes/minutes-92-sidr (search for
"Extemporaneous Presentation")
Cheers
matthias
On Tue, 14 Jun 2016, Hugo Slabbert wrote:
>
> On Mon 2016-Jun-13 17:53:45 -0500, Matthias Waehlisch
> <m.waehlisch at fu-berlin.de> wrote:
>
> > Hi,
> >
> > the creation of a ROA does not require the announcement of the prefix.
> > Creation of a ROA, prefix announcement, and validation of the prefix are
> > decoupled. If you are the legitimate resource holder you can create a
> > ROA for this prefix (even if you don't advertise the prefix). As soon as
> > the prefix is advertised, third parties can validate based on the
> > created ROA.
> >
> > However, in case the hijacker is able to use the legitimate origin
> > ASN, the validation outcome would be valid. You would need to assign the
> > prefix to an ASN that cannot be hijacked or is dropped for other
> > reasons. (Or do BGPsec. ;)
>
> Would this not be a valid use case for creating an ROA with origin AS 0?
>
> RFC7607[1]
>
> Autonomous System 0 was listed in the IANA Autonomous System Number
> Registry as "Reserved - May be use [sic] to identify non-routed
> networks" ([IANA.AS_Numbers][2]).
>
> [RFC6491] specifies that AS 0 in a Route Origin Attestation (ROA) is
> used to mark a prefix and all its more specific prefixes as not to be
> used in a routing context. This allows a resource holder to signal
> that a prefix (and the more specifics) should not be routed by
> publishing a ROA listing AS 0 as the only origin. To respond to this
> signal requires that BGP implementations not accept or propagate
> routes containing AS 0.
>
> RFC6491[3]
>
> AS 0 ROA: A ROA containing a value of 0 in the ASID field.
> "Validation of Route Origination Using the Resource Certificate
> Public Key Infrastructure (PKI) and Route Origination Authorizations
> (ROAs)" [RFC6483] states "A ROA with a subject of AS 0 (AS 0 ROA) is
> an attestation by the holder of a prefix that the prefix described in
> the ROA, and any more specific prefix, should not be used in a
> routing context.
>
> With the most detail in RFC6483[4].
>
> Yes/no?
>
> >
> >
> > Cheers
> > matthias
>
>
More information about the NANOG
mailing list