RPKI for dummies

Sun Aug 23 12:40:19 UTC 2020

Ok. So here is another n00b question. Why don't we have something where
when we advertise IP space we also pass along a cert that can
independently be verified by going back to the RIR to see if that cert was
signed by them. This would also stop someone spoofing my ASN.

On Thu, Aug 20, 2020 at 10:53 AM Tom Beecher <beecher at beecher.cc> wrote:

> ROA = Route Origin Authorization . Origin is the key word.
>
> When you create an signed ROA and do all the publishing bits, RPKI
> validator software will retrieve that , validate the signature, and pass
> that up to routers, saying "This prefix range that originates from this ASN
> is valid." Then, any BGP advertisement that contains a prefix in that
> range, with an origin ASN that matches, is treated as valid. The
> intermediary as-path isn't a factor.
>
> If another ASN ORIGINATES an announcement for your space, then RPKI
> routers will treat that announcement as INVALID, because that isn't
> authorized.
>
> If another ASN spoofs your ASN , pretending that they are your upstream,
> RPKI won't solve that. But that is a different problem set.
>
> On Thu, Aug 20, 2020 at 10:02 AM Dovid Bender <dovid at telecurve.com> wrote:
>
>> Fabien,
>>
>> Thanks. So to sum it up there is nothing stopping a bad actor from
>> impersonating me as if I am BGP'ing with them. It's to stop any other AS
>> other then mine from advertising my IP space. Is that correct? How is
>> verification done? They connect to the RIR and verify that there is  a cert
>> signed by the RIR for my range?
>>
>>
>>
>> On Thu, Aug 20, 2020 at 9:51 AM Fabien VINCENT (NaNOG) via NANOG <
>> nanog at nanog.org> wrote:
>>
>>> Hi,
>>>
>>> In fact, RPKI does nothing about AS Path checks if it's your question.
>>> RPKI is based on ROA where signatures are published to guarantee you're the
>>> owner of a specific prefix with optionnal different maxLength from your
>>> ASN.
>>>
>>> So if the question is about if RPKI is sufficient to secure the whole
>>> BGP path, well, it's not. RPKI guarantee / permit only to verify the
>>> ressource announcements (IPvX block) is really owned by your ASN. But even
>>> if it's not sufficient, we need to deploy it to start securing resources',
>>> not the whole path.
>>>
>>> Don't know if it replies to your question, but you can read also the
>>> pretty good documentation on RPKI here :
>>> https://rpki.readthedocs.io/en/latest/rpki/introduction.html or the
>>> corresponding RFC ;)
>>>
>>> Le 20-08-2020 15:20, Dovid Bender a écrit :
>>>
>>> Hi,
>>>
>>> I am sorry for the n00b question. Can someone help point me in the right
>>> direction to understand how RPKI works? I understand that from my side that
>>> I create a key, submit the public portion to ARIN and then send a signed
>>> request to ARIN asking them to publish it. How do ISP's that receive my
>>> advertisement (either directly from me, meaning my upstreams or my
>>> upstreams upstream) verify against the cert that the advertisement is
>>> coming from me? If say we have
>>> Medium ISP (AS1000) -> Large ISP (AS200)
>>> in the above case AS200 know it's peering with AS1000 so it will take
>>> all advertisements. What's stopping AS1000 from adding a router to their
>>> network to impersonate me,  make it look like I am peering with them and
>>> then they re-advertise the path to Large ISP?
>>>
>>> Again sorry for the n00b question, I am trying to make sense of how it
>>> works.
>>>
>>> TIA.
>>>
>>> Dovid
>>>
>>>
>>> --
>>> *Fabien VINCENT*
>>> *@beufanet*
>>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20200823/b9126d6a/attachment.html>