RPKI unknown for superprefixes of existing ROA ?

• Previous message (by thread): RPKI unknown for superprefixes of existing ROA ?
• Next message (by thread): RPKI unknown for superprefixes of existing ROA ?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

>
> And is it your belief that this addresses the described attack vector?
> AFAICT, it does not.
>

Quoting myself :

WITH the assertion that all routers in the routing domain are RPKI enabled,
> and discarding RPKI INVALIDs.
>

 In the mixed RPKI / non-RPKI environment of today's internet, no it
doesn't. This does not mean that RPKI is deficient, or the AS 0 ROA doesn't
work as intended, as was stated.



On Sun, Oct 22, 2023 at 12:57 PM William Herrin <bill at herrin.us> wrote:

> On Sun, Oct 22, 2023 at 9:38 AM Tom Beecher <beecher at beecher.cc> wrote:
> >> He's saying that someone could come along and advertise 0.0.0.0/1 and
> >> 128.0.0.0/1 and by doing so they'd hijack every unrouted address block
> >> regardless of the block's ROA.
> >>
> >> RPKI is unable to address this attack vector.
> >
> >
> > https://www.rfc-editor.org/rfc/rfc6483
> >
> > Section 4
> >>
> >>
> >> A ROA with a subject of AS 0 (AS 0 ROA) is an attestation by the
> >> holder of a prefix that the prefix described in the ROA, and any more
> >> specific prefix, should not be used in a routing context.
>
> And is it your belief that this addresses the described attack vector?
> AFAICT, it does not.
>
> Regards,
> Bill Herrin
>
>
> --
> William Herrin
> bill at herrin.us
> https://bill.herrin.us/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20231022/a0a470d1/attachment.html>

• Previous message (by thread): RPKI unknown for superprefixes of existing ROA ?
• Next message (by thread): RPKI unknown for superprefixes of existing ROA ?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]