Understanding impact of RPKI and ROA on existing advertisements

• Previous message (by thread): Understanding impact of RPKI and ROA on existing advertisements
• Next message (by thread): Understanding impact of RPKI and ROA on existing advertisements
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

There are a lot of ROAs out there that make it EASIER to hijack
a route rather than harder.

If you register an ROA for a route and also advertise that route
in BGP, then an attacker who prepends your ASN has to at least
compete with your route with an AS_PATH length and will lose
in most of the Internet (but not all of it).

However, if you don't advertise the route, then the attacker has nothing
to compete with and his prepended route will be accepted as RPKI valid
everywhere.

Remember max_length in a ROA. All routes covered by that max_length
will be considered valid by RPKI if the origin ASN matches.
If you don't advertise them all, then you are just making it
EASIER for an attacker to hijack them.

For example if you have an ROA for 10.1.0.0/16, max_length 17,
that includes the routes:
10.1.0.0/16
10.1.0.0/17
10.1.128.0/17

If you don't advertise all those routes in BGP, they are open
to being hijacked and considered RPKI valid.

OTOH, if you register the ROA as 10.1.0.0/16 max_length 16,
then anyone who tries to advertise 10.1.0.0/17 will have
their advertisement rejected as RPKI invalid.

I'm aware that people create ROAs for more specifics in case
they need to advertise them to break a hijack.
But then the hijacker could just advertise the longest prefix
allowed by the ROA. You can't break that with a yet more specific.
Unless the user of the route is not validating with RPKI.

It's a conundrum.

Regards,
Jakob.

• Previous message (by thread): Understanding impact of RPKI and ROA on existing advertisements
• Next message (by thread): Understanding impact of RPKI and ROA on existing advertisements
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]