nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: "Is BGP safe yet?" test

From: Alex Band <alex () nlnetlabs nl>
Date: Tue, 21 Apr 2020 11:29:44 +0200


On 21 Apr 2020, at 11:09, Baldur Norddahl <baldur.norddahl () gmail com> wrote:



On 21.04.2020 10.56, Sander Steffann wrote:

Hi,


Removing a resource from the certificate to achieve the goal you describe will make the route announcement 
NotFound, which means it will be accepted. Evil RIR would have to replace an existing ROA with one that explicitly 
makes a route invalid, i.e. issue an AS0 ROA for specific member prefix. This seems like a pretty convoluted way to 
try and take a network offline.

I've seen worse…
Sander



As long Good RIR continues to publish a valid ROA for the real ASN that evil AS0 ROA would have no effect?


Correct.

Should this really be a concern, then you can run Delegated RPKI. In that case the RIR can’t tamper with your ROA 
because it’s not on their systems. Evil RIR could only revoke a prefix from your certificate or your entire 
certificate, but again, your BGP announcements would fall back to NotFound and would be accepted.

-Alex
Previous By Date Next
Previous By Thread Next

Current thread: