RPKI unknown for superprefixes of existing ROA ?

• Previous message (by thread): RPKI unknown for superprefixes of existing ROA ?
• Next message (by thread): RPKI unknown for superprefixes of existing ROA ?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

>
> Let me ground it a bit:
>
> He's saying that someone could come along and advertise 0.0.0.0/1 and
> 128.0.0.0/1 and by doing so they'd hijack every unrouted address block
> regardless of the block's ROA.
>
> RPKI is unable to address this attack vector.
>

https://www.rfc-editor.org/rfc/rfc6483

Section 4

>
> A ROA with a subject of AS 0 (AS 0 ROA) is an attestation by the
> holder of a prefix that the prefix described in the ROA, and any more
> specific prefix, should not be used in a routing context.
> The route validation procedure, described in Section 2
> <https://www.rfc-editor.org/rfc/rfc6483#section-2>, will provide
> a "valid" outcome if any ROA matches the address prefix and origin
> AS, even if other valid ROAs would provide an "invalid" validation
> outcome if used in isolation. Consequently, an AS 0 ROA has a lower
> relative preference than any other ROA that has a routable AS as its
> subject. This allows a prefix holder to use an AS 0 ROA to declare a
> default condition that any route that is equal to or more specific
> than the prefix to be considered "invalid", while also allowing other
> concurrently issued ROAs to describe valid origination authorizations
> for more specific prefixes.
> By convention, an AS 0 ROA should have a maxLength value of 32 for
> IPv4 addresses and a maxlength value of 128 for IPv6 addresses;
> although, in terms of route validation, the same outcome would be
> achieved with any valid maxLength value, or even if the maxLength

   element were to be omitted from the ROA.


A property constructed AS 0 ROA for 1.2.4/22 ( in Amir's scenario ) would
cause an RPKI participating router to properly mark any more specific
announcement inside 1.2.4/22 as INVALID, which is in fact 'addressing the
attack vector, WITH the assertion that all routers in the routing domain
are RPKI enabled, and discarding RPKI INVALIDs.

The fact that RPKI INVALID routes *cannot* be summarily discarded TODAY
because of the state of the internet as a whole is a separate issue.

Fundamentally, in the scenario described by Amir originally, the operator
is being dumb by NOT announcing AT LEAST the prefix for their allocation to
ensure that nobody can just toss out an announcement to snipe the
unannounced space.

On Sun, Oct 22, 2023 at 12:28 PM William Herrin <bill at herrin.us> wrote:

> On Sun, Oct 22, 2023 at 9:10 AM William Herrin <bill at herrin.us> wrote:
> > In essence, this means that a ROA to AS0 doesn't work as intended.
>
> Let me ground it a bit:
>
> He's saying that someone could come along and advertise 0.0.0.0/1 and
> 128.0.0.0/1 and by doing so they'd hijack every unrouted address block
> regardless of the block's ROA.
>
> RPKI is unable to address this attack vector.
>
> Regards,
> Bill Herrin
>
>
> --
> William Herrin
> bill at herrin.us
> https://bill.herrin.us/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20231022/8bd35be1/attachment.html>

• Previous message (by thread): RPKI unknown for superprefixes of existing ROA ?
• Next message (by thread): RPKI unknown for superprefixes of existing ROA ?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]