RPKI and offline routes
Hugo Slabbert
hugo at slabnet.com
Tue Jun 14 15:57:45 UTC 2016
On Mon 2016-Jun-13 17:53:45 -0500, Matthias Waehlisch <m.waehlisch at fu-berlin.de> wrote:
>Hi,
>
> the creation of a ROA does not require the announcement of the prefix.
>Creation of a ROA, prefix announcement, and validation of the prefix are
>decoupled. If you are the legitimate resource holder you can create a
>ROA for this prefix (even if you don't advertise the prefix). As soon as
>the prefix is advertised, third parties can validate based on the
>created ROA.
>
> However, in case the hijacker is able to use the legitimate origin
>ASN, the validation outcome would be valid. You would need to assign the
>prefix to an ASN that cannot be hijacked or is dropped for other
>reasons. (Or do BGPsec. ;)
Would this not be a valid use case for creating an ROA with origin AS 0?
RFC7607[1]
Autonomous System 0 was listed in the IANA Autonomous System Number
Registry as "Reserved - May be use [sic] to identify non-routed
networks" ([IANA.AS_Numbers][2]).
[RFC6491] specifies that AS 0 in a Route Origin Attestation (ROA) is
used to mark a prefix and all its more specific prefixes as not to be
used in a routing context. This allows a resource holder to signal
that a prefix (and the more specifics) should not be routed by
publishing a ROA listing AS 0 as the only origin. To respond to this
signal requires that BGP implementations not accept or propagate
routes containing AS 0.
RFC6491[3]
AS 0 ROA: A ROA containing a value of 0 in the ASID field.
"Validation of Route Origination Using the Resource Certificate
Public Key Infrastructure (PKI) and Route Origination Authorizations
(ROAs)" [RFC6483] states "A ROA with a subject of AS 0 (AS 0 ROA) is
an attestation by the holder of a prefix that the prefix described in
the ROA, and any more specific prefix, should not be used in a
routing context.
With the most detail in RFC6483[4].
Yes/no?
>
>
>Cheers
> matthias
--
Hugo Slabbert | email, xmpp/jabber: hugo at slabnet.com
pgp key: B178313E | also on Signal
>
>On Mon, 13 Jun 2016, Theodore Baschak wrote:
>
>> Can RPKI be used with routes that are not being advertised at the moment?
>> As in to sign a route that *could* be there, but is not there presently.
>>
>> There's been several BGP hijacks that I've followed closely that
>> involved hijacking IP space as well as the ASN that would normally
>> originate it. I'm wondering if having valid ROAs/RPKI would have
>> helped in this case or not.
>>
>>
>> Theodore Baschak - AS395089 - Hextet Systems
>>
[1]https://tools.ietf.org/html/rfc7607#section-1
[2]https://tools.ietf.org/html/rfc7607#ref-IANA.AS_Numbers
[3]https://tools.ietf.org/html/rfc6491#section-4
[4]https://tools.ietf.org/html/rfc6483#section-4
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20160614/6b54badd/attachment.sig>
More information about the NANOG
mailing list