nanog mailing list archives
Re: RPKI unknown for superprefixes of existing ROA ?
From: Tom Beecher <beecher () beecher cc>
Date: Sun, 22 Oct 2023 14:33:23 -0400
Basically, I guess, it means that the AS 0 solution shouldn't be used, at least not usually.
It's like everything else. Understand what the tools do and what they don't do, and use them appropriately. On Sun, Oct 22, 2023 at 2:21 PM Amir Herzberg <amir.lists () gmail com> wrote:
I agree that a good, sensible defense would be to simply announce your entire address block, e.g., in the example, your entire /22 (with a ROA to your ASN), and filter the traffic to the unused prefixes. Basically, I guess, it means that the AS 0 solution shouldn't be used, at least not usually. I wonder if anyone is using it , in fact. It would be nice to know if someone has the data handy. Thanks! Amir -- Amir Herzberg Comcast professor of Security Innovations, Computer Science and Engineering, University of Connecticut Homepage: https://sites.google.com/site/amirherzberg/home `Applied Introduction to Cryptography' textbook and lectures: https://sites.google.com/site/amirherzberg/cybersecurity On Sun, Oct 22, 2023 at 1:50 PM Tom Beecher <beecher () beecher cc> wrote:Look again, Tom. This is an attack vector using a LESS specific route.The /22 gets discarded, but a covering /0-/21 would not.Yes. And reliant on the operator doing something exceptionally not smart to begin with. Relying on an AS0 ROA alone and not actually announcing the covering prefix as well isn't a good thing to do. On Sun, Oct 22, 2023 at 1:39 PM Owen DeLong <owen () delong com> wrote:Look again, Tom. This is an attack vector using a LESS specific route. The /22 gets discarded, but a covering /0-/21 would not. Owen On Oct 22, 2023, at 10:06, Tom Beecher <beecher () beecher cc> wrote: And is it your belief that this addresses the described attack vector? AFAICT, it does not.Quoting myself : WITH the assertion that all routers in the routing domain are RPKIenabled, and discarding RPKI INVALIDs.In the mixed RPKI / non-RPKI environment of today's internet, no it doesn't. This does not mean that RPKI is deficient, or the AS 0 ROA doesn't work as intended, as was stated. On Sun, Oct 22, 2023 at 12:57 PM William Herrin <bill () herrin us> wrote:On Sun, Oct 22, 2023 at 9:38 AM Tom Beecher <beecher () beecher cc> wrote:He's saying that someone could come along and advertise 0.0.0.0/1and128.0.0.0/1 and by doing so they'd hijack every unrouted addressblockregardless of the block's ROA. RPKI is unable to address this attack vector.https://www.rfc-editor.org/rfc/rfc6483 Section 4A ROA with a subject of AS 0 (AS 0 ROA) is an attestation by the holder of a prefix that the prefix described in the ROA, and any more specific prefix, should not be used in a routing context.And is it your belief that this addresses the described attack vector? AFAICT, it does not. Regards, Bill Herrin -- William Herrin bill () herrin us https://bill.herrin.us/
Current thread:
- Re: RPKI unknown for superprefixes of existing ROA ?, (continued)
- Re: RPKI unknown for superprefixes of existing ROA ? William Herrin (Oct 22)
- Re: RPKI unknown for superprefixes of existing ROA ? William Herrin (Oct 22)
- Re: RPKI unknown for superprefixes of existing ROA ? Tom Beecher (Oct 22)
- Re: RPKI unknown for superprefixes of existing ROA ? William Herrin (Oct 22)
- Re: RPKI unknown for superprefixes of existing ROA ? Tom Beecher (Oct 22)
- Re: RPKI unknown for superprefixes of existing ROA ? William Herrin (Oct 22)
- Re: RPKI unknown for superprefixes of existing ROA ? Tom Beecher (Oct 22)
- Re: RPKI unknown for superprefixes of existing ROA ? Owen DeLong via NANOG (Oct 22)
- Re: RPKI unknown for superprefixes of existing ROA ? Tom Beecher (Oct 22)
- Re: RPKI unknown for superprefixes of existing ROA ? Amir Herzberg (Oct 22)
- Re: RPKI unknown for superprefixes of existing ROA ? Tom Beecher (Oct 22)
- Re: RPKI unknown for superprefixes of existing ROA ? Job Snijders via NANOG (Oct 22)
- Re: RPKI unknown for superprefixes of existing ROA ? Owen DeLong via NANOG (Oct 24)
- Re: RPKI unknown for superprefixes of existing ROA ? Job Snijders via NANOG (Oct 24)
- Re: RPKI unknown for superprefixes of existing ROA ? Randy Bush (Oct 24)
- Re: RPKI unknown for superprefixes of existing ROA ? Owen DeLong via NANOG (Oct 25)
- Re: RPKI unknown for superprefixes of existing ROA ? Owen DeLong via NANOG (Oct 24)
- Re: RPKI unknown for superprefixes of existing ROA ? Tom Beecher (Oct 24)
- Re: RPKI unknown for superprefixes of existing ROA ? Job Snijders via NANOG (Oct 22)
- Re: RPKI unknown for superprefixes of existing ROA ? Rubens Kuhl (Oct 22)
- Re: RPKI unknown for superprefixes of existing ROA ? Owen DeLong via NANOG (Oct 22)