Prefix hijacking, how to prevent and fix currently

Saku Ytti saku at ytti.fi
Tue Sep 2 15:27:54 UTC 2014


On (2014-09-02 14:44 +0000), Sriram, Kotikalapudi wrote:

Hi Sriram,

> Importantly, C has a created a ROA for 192.0.2.0/23 only to protect 
> its address space, but currently *does not advertise* this prefix or any part of it.
> So D's more specific announcement (hijack) is 'Invalid' in this scenario but 
> the 'Loose' mode operation would accept/install D's route.
> Am I right about that? If yes, that is the side effect or CON that I was trying to highlight.

Absolutely, thanks I now understood you and we're on the same page. Loose only
protects routed networks, it do not protect hijacked non-routed prefixes.

> Further, later in a mature stage of RPKI, when nearly all operators have 
> implemented the paragraph I cited from RFC 7115, then routers can drop 'Loose' mode.    

Yes, many may have sufficient confidence to turn off loose mode at later time.
All of them would be able to gather data during loose-period about actual
occurrence of false positives. Perhaps that is always 0 or at least has been 0
for past several years, this might be make it easy to give accurate data of
factual business risks.

-- 
  ++ytti


More information about the NANOG mailing list