nanog mailing list archives

Re: RPKI unknown for superprefixes of existing ROA ?

From: Job Snijders via NANOG <nanog () nanog org>
Date: Sun, 22 Oct 2023 17:46:54 +0200

On Sun, 22 Oct 2023 at 17:42, Amir Herzberg <amir.lists () gmail com> wrote:

Bill, thanks! You explained the issue much better than me. Yes, the
problem is that, in my example, the operator was allocated  1.2.4/22 but
the attacker is announcing  1.2.0/20, which is larger than the allocation,
so the operator cannot issue ROA for it (or covering it). Of course, the
RIR _could_ do it (but I don't think they do, right?). So this `superprefix
hijack' may succeed in spite of all the ROAs that the operator could
publish.

I'm not saying this is much of a concern, as I never heard of such attacks
in the wild, but I guess it _could_ happen in the future.



How is “success” measured here?

The attacker won’t be drawing traffic towards itself destined for addresses
in the /22, because of LPM
https://en.wikipedia.org/wiki/Longest_prefix_match

Attackers don’t hijack IP traffic by announcing less-specifics. It don’t
work that way.

Kind regards,

Job

Current thread:

Re: Acceptance of RPKI unknown in ROV, (continued)
- - - Re: Acceptance of RPKI unknown in ROV Owen DeLong via NANOG (Oct 19)
    - Re: Acceptance of RPKI unknown in ROV Aftab Siddiqui (Oct 19)
    - Re: Acceptance of RPKI unknown in ROV Randy Bush (Oct 19)
    - Re: Acceptance of RPKI unknown in ROV Fearghas Mckay (Oct 19)
    - Re: Acceptance of RPKI unknown in ROV Randy Bush (Oct 19)
    - Re: Acceptance of RPKI unknown in ROV Dale W. Carder (Oct 20)
- RPKI unknown for superprefixes of existing ROA ? Amir Herzberg (Oct 21)
  - Re: RPKI unknown for superprefixes of existing ROA ? Mark Tinka (Oct 21)
    - Re: RPKI unknown for superprefixes of existing ROA ? William Herrin (Oct 21)
    - Re: RPKI unknown for superprefixes of existing ROA ? Amir Herzberg (Oct 22)
    - Re: RPKI unknown for superprefixes of existing ROA ? Job Snijders via NANOG (Oct 22)
    - Re: RPKI unknown for superprefixes of existing ROA ? William Herrin (Oct 22)
    - Re: RPKI unknown for superprefixes of existing ROA ? William Herrin (Oct 22)
    - Re: RPKI unknown for superprefixes of existing ROA ? Tom Beecher (Oct 22)
    - Re: RPKI unknown for superprefixes of existing ROA ? William Herrin (Oct 22)
    - Re: RPKI unknown for superprefixes of existing ROA ? Tom Beecher (Oct 22)
    - Re: RPKI unknown for superprefixes of existing ROA ? William Herrin (Oct 22)
    - Re: RPKI unknown for superprefixes of existing ROA ? Tom Beecher (Oct 22)
    - Re: RPKI unknown for superprefixes of existing ROA ? Owen DeLong via NANOG (Oct 22)
    - Re: RPKI unknown for superprefixes of existing ROA ? Tom Beecher (Oct 22)
    - Re: RPKI unknown for superprefixes of existing ROA ? Amir Herzberg (Oct 22)

(Thread continues...)