RPKI unknown for superprefixes of existing ROA ?

Tom Beecher beecher at beecher.cc
Sun Oct 22 17:45:53 UTC 2023 

>
> Look again, Tom. This is an attack vector using a LESS specific route. The
> /22 gets discarded, but a covering /0-/21 would not.
>

Yes. And reliant on the operator doing something exceptionally not smart to
begin with.  Relying on an AS0 ROA alone and not actually announcing the
covering prefix as well isn't a good thing to do.

On Sun, Oct 22, 2023 at 1:39 PM Owen DeLong <owen at delong.com> wrote:

> Look again, Tom. This is an attack vector using a LESS specific route. The
> /22 gets discarded, but a covering /0-/21 would not.
>
> Owen
>
> On Oct 22, 2023, at 10:06, Tom Beecher <beecher at beecher.cc> wrote:
>
> 
>
>> And is it your belief that this addresses the described attack vector?
>> AFAICT, it does not.
>>
>
> Quoting myself :
>
> WITH the assertion that all routers in the routing domain are RPKI
>> enabled, and discarding RPKI INVALIDs.
>>
>
>  In the mixed RPKI / non-RPKI environment of today's internet, no it
> doesn't. This does not mean that RPKI is deficient, or the AS 0 ROA doesn't
> work as intended, as was stated.
>
>
>
> On Sun, Oct 22, 2023 at 12:57 PM William Herrin <bill at herrin.us> wrote:
>
>> On Sun, Oct 22, 2023 at 9:38 AM Tom Beecher <beecher at beecher.cc> wrote:
>> >> He's saying that someone could come along and advertise 0.0.0.0/1 and
>> >> 128.0.0.0/1 and by doing so they'd hijack every unrouted address block
>> >> regardless of the block's ROA.
>> >>
>> >> RPKI is unable to address this attack vector.
>> >
>> >
>> > https://www.rfc-editor.org/rfc/rfc6483
>> >
>> > Section 4
>> >>
>> >>
>> >> A ROA with a subject of AS 0 (AS 0 ROA) is an attestation by the
>> >> holder of a prefix that the prefix described in the ROA, and any more
>> >> specific prefix, should not be used in a routing context.
>>
>> And is it your belief that this addresses the described attack vector?
>> AFAICT, it does not.
>>
>> Regards,
>> Bill Herrin
>>
>>
>> --
>> William Herrin
>> bill at herrin.us
>> https://bill.herrin.us/
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20231022/b2cb3473/attachment.html>

More information about the NANOG mailing list