RPKI for dummies

Tom Beecher beecher at beecher.cc
Thu Aug 20 14:53:17 UTC 2020


ROA = Route Origin Authorization . Origin is the key word.

When you create an signed ROA and do all the publishing bits, RPKI
validator software will retrieve that , validate the signature, and pass
that up to routers, saying "This prefix range that originates from this ASN
is valid." Then, any BGP advertisement that contains a prefix in that
range, with an origin ASN that matches, is treated as valid. The
intermediary as-path isn't a factor.

If another ASN ORIGINATES an announcement for your space, then RPKI routers
will treat that announcement as INVALID, because that isn't authorized.

If another ASN spoofs your ASN , pretending that they are your upstream,
RPKI won't solve that. But that is a different problem set.

On Thu, Aug 20, 2020 at 10:02 AM Dovid Bender <dovid at telecurve.com> wrote:

> Fabien,
>
> Thanks. So to sum it up there is nothing stopping a bad actor from
> impersonating me as if I am BGP'ing with them. It's to stop any other AS
> other then mine from advertising my IP space. Is that correct? How is
> verification done? They connect to the RIR and verify that there is  a cert
> signed by the RIR for my range?
>
>
>
> On Thu, Aug 20, 2020 at 9:51 AM Fabien VINCENT (NaNOG) via NANOG <
> nanog at nanog.org> wrote:
>
>> Hi,
>>
>> In fact, RPKI does nothing about AS Path checks if it's your question.
>> RPKI is based on ROA where signatures are published to guarantee you're the
>> owner of a specific prefix with optionnal different maxLength from your
>> ASN.
>>
>> So if the question is about if RPKI is sufficient to secure the whole BGP
>> path, well, it's not. RPKI guarantee / permit only to verify the ressource
>> announcements (IPvX block) is really owned by your ASN. But even if it's
>> not sufficient, we need to deploy it to start securing resources', not the
>> whole path.
>>
>> Don't know if it replies to your question, but you can read also the
>> pretty good documentation on RPKI here :
>> https://rpki.readthedocs.io/en/latest/rpki/introduction.html or the
>> corresponding RFC ;)
>>
>> Le 20-08-2020 15:20, Dovid Bender a écrit :
>>
>> Hi,
>>
>> I am sorry for the n00b question. Can someone help point me in the right
>> direction to understand how RPKI works? I understand that from my side that
>> I create a key, submit the public portion to ARIN and then send a signed
>> request to ARIN asking them to publish it. How do ISP's that receive my
>> advertisement (either directly from me, meaning my upstreams or my
>> upstreams upstream) verify against the cert that the advertisement is
>> coming from me? If say we have
>> Medium ISP (AS1000) -> Large ISP (AS200)
>> in the above case AS200 know it's peering with AS1000 so it will take all
>> advertisements. What's stopping AS1000 from adding a router to their
>> network to impersonate me,  make it look like I am peering with them and
>> then they re-advertise the path to Large ISP?
>>
>> Again sorry for the n00b question, I am trying to make sense of how it
>> works.
>>
>> TIA.
>>
>> Dovid
>>
>>
>> --
>> *Fabien VINCENT*
>> *@beufanet*
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20200820/633c4f1b/attachment.html>


More information about the NANOG mailing list