RPKI unknown for superprefixes of existing ROA ?
Job Snijders
job at fastly.com
Sun Oct 22 15:46:54 UTC 2023
On Sun, 22 Oct 2023 at 17:42, Amir Herzberg <amir.lists at gmail.com> wrote:
> Bill, thanks! You explained the issue much better than me. Yes, the
> problem is that, in my example, the operator was allocated 1.2.4/22 but
> the attacker is announcing 1.2.0/20, which is larger than the allocation,
> so the operator cannot issue ROA for it (or covering it). Of course, the
> RIR _could_ do it (but I don't think they do, right?). So this `superprefix
> hijack' may succeed in spite of all the ROAs that the operator could
> publish.
>
> I'm not saying this is much of a concern, as I never heard of such attacks
> in the wild, but I guess it _could_ happen in the future.
>
How is “success” measured here?
The attacker won’t be drawing traffic towards itself destined for addresses
in the /22, because of LPM
https://en.wikipedia.org/wiki/Longest_prefix_match
Attackers don’t hijack IP traffic by announcing less-specifics. It don’t
work that way.
Kind regards,
Job
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20231022/ce940788/attachment.html>
More information about the NANOG
mailing list