RPKI unknown for superprefixes of existing ROA ?

• Previous message (by thread): RPKI unknown for superprefixes of existing ROA ?
• Next message (by thread): RPKI unknown for superprefixes of existing ROA ?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Sun, 22 Oct 2023 at 17:42, Amir Herzberg <amir.lists at gmail.com> wrote:

> Bill, thanks! You explained the issue much better than me. Yes, the
> problem is that, in my example, the operator was allocated  1.2.4/22 but
> the attacker is announcing  1.2.0/20, which is larger than the allocation,
> so the operator cannot issue ROA for it (or covering it). Of course, the
> RIR _could_ do it (but I don't think they do, right?). So this `superprefix
> hijack' may succeed in spite of all the ROAs that the operator could
> publish.
>
> I'm not saying this is much of a concern, as I never heard of such attacks
> in the wild, but I guess it _could_ happen in the future.
>


How is “success” measured here?

The attacker won’t be drawing traffic towards itself destined for addresses
in the /22, because of LPM
https://en.wikipedia.org/wiki/Longest_prefix_match

Attackers don’t hijack IP traffic by announcing less-specifics. It don’t
work that way.

Kind regards,

Job

>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20231022/ce940788/attachment.html>

• Previous message (by thread): RPKI unknown for superprefixes of existing ROA ?
• Next message (by thread): RPKI unknown for superprefixes of existing ROA ?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]