nanog mailing list archives
Re: RPKI unknown for superprefixes of existing ROA ?
From: Mark Tinka <mark@tinka.africa>
Date: Sat, 21 Oct 2023 20:47:18 +0200
On 10/21/23 16:03, Amir Herzberg wrote:
Hi Owen, Randy, Job and other NANOGers,I surely agree with you all that we shouldn't expect discarding of ROA-unknown `anytime soon' (or ever?). But I have a question: what about discarding ROA-unknowns for very large prefixes (say, /12), or for superprefixes of prefixes with announced ROAs? Or at least, for superprefixes of prefixes with ROA to AS 0?For motivation, consider the `superprefix hijack attack'. Operator has prefix 1.2.4/22, but announce only 1.2.5/24 and 1.2.6/24, with appropriate ROAs. To avoid abuse of 1.2.4/24 and 1.2.7/24, they also make a ROA for 1.2.4/22 with AS 0. Attacker now announces 1.2.0/20, and uses IPs in 1.2.4/24 and 1.2.7/24 to send spam etc.. We introduced this threat and analyzed it in our ROV++ paper, btw (NDSS'21 I think - available online too of course).So: would it be conceivable that operators will block such 1.2.0/20 - since it's too large a prefix without ROA and in particular includes sub-prefixes with ROA, esp. ROA to AS 0?
The question is - who gets to decide how much space is "too large"? "Too large" will most certainly be different for different networks.If we try to get the RPKI to do things other than for which it was intended which may be interpreted as "unreasonable control", we make the case for those who think that is what it was destined to become.
Mark.
Current thread:
- Re: Acceptance of RPKI unknown in ROV, (continued)
- Re: Acceptance of RPKI unknown in ROV Gaurav Kansal via NANOG (Oct 19)
- Re: Acceptance of RPKI unknown in ROV Aftab Siddiqui (Oct 19)
- Re: Acceptance of RPKI unknown in ROV Job Snijders via NANOG (Oct 19)
- Re: Acceptance of RPKI unknown in ROV Owen DeLong via NANOG (Oct 19)
- Re: Acceptance of RPKI unknown in ROV Aftab Siddiqui (Oct 19)
- Re: Acceptance of RPKI unknown in ROV Randy Bush (Oct 19)
- Re: Acceptance of RPKI unknown in ROV Fearghas Mckay (Oct 19)
- Re: Acceptance of RPKI unknown in ROV Randy Bush (Oct 19)
- Re: Acceptance of RPKI unknown in ROV Dale W. Carder (Oct 20)
- Re: Acceptance of RPKI unknown in ROV Job Snijders via NANOG (Oct 19)
- Re: RPKI unknown for superprefixes of existing ROA ? Mark Tinka (Oct 21)
- Re: RPKI unknown for superprefixes of existing ROA ? William Herrin (Oct 21)
- Re: RPKI unknown for superprefixes of existing ROA ? Amir Herzberg (Oct 22)
- Re: RPKI unknown for superprefixes of existing ROA ? Job Snijders via NANOG (Oct 22)
- Re: RPKI unknown for superprefixes of existing ROA ? William Herrin (Oct 22)
- Re: RPKI unknown for superprefixes of existing ROA ? William Herrin (Oct 22)
- Re: RPKI unknown for superprefixes of existing ROA ? Tom Beecher (Oct 22)
- Re: RPKI unknown for superprefixes of existing ROA ? William Herrin (Oct 22)
- Re: RPKI unknown for superprefixes of existing ROA ? Tom Beecher (Oct 22)
- Re: RPKI unknown for superprefixes of existing ROA ? William Herrin (Oct 22)
- Re: RPKI unknown for superprefixes of existing ROA ? Tom Beecher (Oct 22)