RPKI unknown for superprefixes of existing ROA ?

• Previous message (by thread): RPKI unknown for superprefixes of existing ROA ?
• Next message (by thread): RPKI unknown for superprefixes of existing ROA ?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 10/21/23 16:03, Amir Herzberg wrote:

> Hi Owen, Randy, Job and other NANOGers,
>
> I surely agree with you all that we shouldn't expect discarding of 
> ROA-unknown `anytime soon' (or ever?). But I have a question: what 
> about discarding ROA-unknowns for very large prefixes (say, /12), or 
> for superprefixes of prefixes with announced ROAs? Or at least, for 
> superprefixes of prefixes with ROA to AS 0?
>
> For motivation, consider the `superprefix hijack attack'. Operator has 
> prefix 1.2.4/22, but announce only 1.2.5/24 and 1.2.6/24, with 
> appropriate ROAs. To avoid abuse of 1.2.4/24 and 1.2.7/24, they also 
> make a ROA for 1.2.4/22 with AS 0. Attacker now announces 1.2.0/20, 
> and uses IPs in 1.2.4/24 and 1.2.7/24 to send spam etc.. We introduced 
> this threat and analyzed it in our ROV++ paper, btw (NDSS'21 I think - 
> available online too of course).
>
> So: would it be conceivable that operators will block such 1.2.0/20  - 
> since it's too large a prefix without ROA and in particular includes 
> sub-prefixes with ROA, esp. ROA to AS 0?

The question is - who gets to decide how much space is "too large"?

"Too large" will most certainly be different for different networks.

If we try to get the RPKI to do things other than for which it was 
intended which may be interpreted as "unreasonable control", we make the 
case for those who think that is what it was destined to become.

Mark.

• Previous message (by thread): RPKI unknown for superprefixes of existing ROA ?
• Next message (by thread): RPKI unknown for superprefixes of existing ROA ?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]