RPKI unknown for superprefixes of existing ROA ?

Owen DeLong owen at delong.com
Wed Oct 25 00:26:59 UTC 2023 

The covering /20 isn’t his to announce… He has a /22. He’s announcing all 4 /24s, and may not have a legitimate place to announce the covering /22, which wouldn’t help in this case anyway.

So I’m not sure why you think that’s a solution.

Owen


> On Oct 22, 2023, at 10:45, Tom Beecher <beecher at beecher.cc> wrote:
> 
>> Look again, Tom. This is an attack vector using a LESS specific route. The /22 gets discarded, but a covering /0-/21 would not. 
> 
> Yes. And reliant on the operator doing something exceptionally not smart to begin with.  Relying on an AS0 ROA alone and not actually announcing the covering prefix as well isn't a good thing to do. 
> 
> On Sun, Oct 22, 2023 at 1:39 PM Owen DeLong <owen at delong.com <mailto:owen at delong.com>> wrote:
>> Look again, Tom. This is an attack vector using a LESS specific route. The /22 gets discarded, but a covering /0-/21 would not. 
>> 
>> Owen
>> 
>>> On Oct 22, 2023, at 10:06, Tom Beecher <beecher at beecher.cc <mailto:beecher at beecher.cc>> wrote:
>>> 
>>> 
>>>> And is it your belief that this addresses the described attack vector?
>>>> AFAICT, it does not.
>>> 
>>> Quoting myself : 
>>> 
>>>> WITH the assertion that all routers in the routing domain are RPKI enabled, and discarding RPKI INVALIDs.
>>> 
>>>  In the mixed RPKI / non-RPKI environment of today's internet, no it doesn't. This does not mean that RPKI is deficient, or the AS 0 ROA doesn't work as intended, as was stated.
>>> 
>>>  
>>> 
>>> On Sun, Oct 22, 2023 at 12:57 PM William Herrin <bill at herrin.us <mailto:bill at herrin.us>> wrote:
>>>> On Sun, Oct 22, 2023 at 9:38 AM Tom Beecher <beecher at beecher.cc <mailto:beecher at beecher.cc>> wrote:
>>>> >> He's saying that someone could come along and advertise 0.0.0.0/1 <http://0.0.0.0/1> and
>>>> >> 128.0.0.0/1 <http://128.0.0.0/1> and by doing so they'd hijack every unrouted address block
>>>> >> regardless of the block's ROA.
>>>> >>
>>>> >> RPKI is unable to address this attack vector.
>>>> >
>>>> >
>>>> > https://www.rfc-editor.org/rfc/rfc6483
>>>> >
>>>> > Section 4
>>>> >>
>>>> >>
>>>> >> A ROA with a subject of AS 0 (AS 0 ROA) is an attestation by the
>>>> >> holder of a prefix that the prefix described in the ROA, and any more
>>>> >> specific prefix, should not be used in a routing context.
>>>> 
>>>> And is it your belief that this addresses the described attack vector?
>>>> AFAICT, it does not.
>>>> 
>>>> Regards,
>>>> Bill Herrin
>>>> 
>>>> 
>>>> -- 
>>>> William Herrin
>>>> bill at herrin.us <mailto:bill at herrin.us>
>>>> https://bill.herrin.us/

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20231024/cb4a4e35/attachment.html>

More information about the NANOG mailing list