Re: RPKI for dummies

[Tom Beecher <beecher () beecher cc>]

ROA = Route Origin Authorization . Origin is the key word.

When you create an signed ROA and do all the publishing bits, RPKI
validator software will retrieve that , validate the signature, and pass
that up to routers, saying "This prefix range that originates from this ASN
is valid." Then, any BGP advertisement that contains a prefix in that
range, with an origin ASN that matches, is treated as valid. The
intermediary as-path isn't a factor.

If another ASN ORIGINATES an announcement for your space, then RPKI routers
will treat that announcement as INVALID, because that isn't authorized.

If another ASN spoofs your ASN , pretending that they are your upstream,
RPKI won't solve that. But that is a different problem set.

On Thu, Aug 20, 2020 at 10:02 AM Dovid Bender <dovid () telecurve com> wrote:

> Fabien,
>
> Thanks. So to sum it up there is nothing stopping a bad actor from
> impersonating me as if I am BGP'ing with them. It's to stop any other AS
> other then mine from advertising my IP space. Is that correct? How is
> verification done? They connect to the RIR and verify that there is  a cert
> signed by the RIR for my range?
>
>
>
> On Thu, Aug 20, 2020 at 9:51 AM Fabien VINCENT (NaNOG) via NANOG <
> nanog () nanog org> wrote:
>
> > Hi,
> >
> > In fact, RPKI does nothing about AS Path checks if it's your question.
> > RPKI is based on ROA where signatures are published to guarantee you're the
> > owner of a specific prefix with optionnal different maxLength from your
> > ASN.
> >
> > So if the question is about if RPKI is sufficient to secure the whole BGP
> > path, well, it's not. RPKI guarantee / permit only to verify the ressource
> > announcements (IPvX block) is really owned by your ASN. But even if it's
> > not sufficient, we need to deploy it to start securing resources', not the
> > whole path.
> >
> > Don't know if it replies to your question, but you can read also the
> > pretty good documentation on RPKI here :
> > https://rpki.readthedocs.io/en/latest/rpki/introduction.html or the
> > corresponding RFC ;)
> >
> > Le 20-08-2020 15:20, Dovid Bender a écrit :
> >
> > Hi,
> >
> > I am sorry for the n00b question. Can someone help point me in the right
> > direction to understand how RPKI works? I understand that from my side that
> > I create a key, submit the public portion to ARIN and then send a signed
> > request to ARIN asking them to publish it. How do ISP's that receive my
> > advertisement (either directly from me, meaning my upstreams or my
> > upstreams upstream) verify against the cert that the advertisement is
> > coming from me? If say we have
> > Medium ISP (AS1000) -> Large ISP (AS200)
> > in the above case AS200 know it's peering with AS1000 so it will take all
> > advertisements. What's stopping AS1000 from adding a router to their
> > network to impersonate me,  make it look like I am peering with them and
> > then they re-advertise the path to Large ISP?
> >
> > Again sorry for the n00b question, I am trying to make sense of how it
> > works.
> >
> > TIA.
> >
> > Dovid
> >
> >
> > --
> > *Fabien VINCENT*
> > *@beufanet*