RPKI unknown for superprefixes of existing ROA ?

Sun Oct 22 18:33:23 UTC 2023

>
> Basically, I guess, it means that the AS 0 solution shouldn't be used, at
> least not usually.
>

It's like everything else. Understand what the tools do and what they don't
do, and use them appropriately.

On Sun, Oct 22, 2023 at 2:21 PM Amir Herzberg <amir.lists at gmail.com> wrote:

> I agree that a good, sensible defense would be to simply announce your
> entire address block, e.g., in the example, your entire /22 (with a ROA to
> your ASN), and filter the traffic to the unused prefixes. Basically, I
> guess, it means that the AS 0 solution shouldn't be used, at least not
> usually. I wonder if anyone is using it , in fact. It would be nice to know
> if someone has the data handy.
>
> Thanks! Amir
> --
> Amir Herzberg
>
> Comcast professor of Security Innovations, Computer Science and
> Engineering, University of Connecticut
> Homepage: https://sites.google.com/site/amirherzberg/home
> `Applied Introduction to Cryptography' textbook and lectures:
> https://sites.google.com/site/amirherzberg/cybersecurity
>
>
>
>
> On Sun, Oct 22, 2023 at 1:50 PM Tom Beecher <beecher at beecher.cc> wrote:
>
>> Look again, Tom. This is an attack vector using a LESS specific route.
>>> The /22 gets discarded, but a covering /0-/21 would not.
>>>
>>
>> Yes. And reliant on the operator doing something exceptionally not smart
>> to begin with.  Relying on an AS0 ROA alone and not actually announcing the
>> covering prefix as well isn't a good thing to do.
>>
>> On Sun, Oct 22, 2023 at 1:39 PM Owen DeLong <owen at delong.com> wrote:
>>
>>> Look again, Tom. This is an attack vector using a LESS specific route.
>>> The /22 gets discarded, but a covering /0-/21 would not.
>>>
>>> Owen
>>>
>>> On Oct 22, 2023, at 10:06, Tom Beecher <beecher at beecher.cc> wrote:
>>>
>>> 
>>>
>>>> And is it your belief that this addresses the described attack vector?
>>>> AFAICT, it does not.
>>>>
>>>
>>> Quoting myself :
>>>
>>> WITH the assertion that all routers in the routing domain are RPKI
>>>> enabled, and discarding RPKI INVALIDs.
>>>>
>>>
>>>  In the mixed RPKI / non-RPKI environment of today's internet, no it
>>> doesn't. This does not mean that RPKI is deficient, or the AS 0 ROA doesn't
>>> work as intended, as was stated.
>>>
>>>
>>>
>>> On Sun, Oct 22, 2023 at 12:57 PM William Herrin <bill at herrin.us> wrote:
>>>
>>>> On Sun, Oct 22, 2023 at 9:38 AM Tom Beecher <beecher at beecher.cc> wrote:
>>>> >> He's saying that someone could come along and advertise 0.0.0.0/1
>>>> and
>>>> >> 128.0.0.0/1 and by doing so they'd hijack every unrouted address
>>>> block
>>>> >> regardless of the block's ROA.
>>>> >>
>>>> >> RPKI is unable to address this attack vector.
>>>> >
>>>> >
>>>> > https://www.rfc-editor.org/rfc/rfc6483
>>>> >
>>>> > Section 4
>>>> >>
>>>> >>
>>>> >> A ROA with a subject of AS 0 (AS 0 ROA) is an attestation by the
>>>> >> holder of a prefix that the prefix described in the ROA, and any more
>>>> >> specific prefix, should not be used in a routing context.
>>>>
>>>> And is it your belief that this addresses the described attack vector?
>>>> AFAICT, it does not.
>>>>
>>>> Regards,
>>>> Bill Herrin
>>>>
>>>>
>>>> --
>>>> William Herrin
>>>> bill at herrin.us
>>>> https://bill.herrin.us/
>>>>
>>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20231022/820a4970/attachment.html>