nanog mailing list archives

Re: RPKI unknown for superprefixes of existing ROA ?

From: William Herrin <bill () herrin us>
Date: Sun, 22 Oct 2023 09:10:04 -0700

On Sun, Oct 22, 2023 at 8:47 AM Job Snijders <job () fastly com> wrote:

The attacker won’t be drawing traffic towards itself destined for addresses in the /22, because of LPM


Hi Job,

The idea is that you have some infrastructure on IP addresses that you
don't route on the Internet. Maybe it's the /24 you use to number your
routers. Maybe it's a private network. Whatever it is, you intend for
that address block to be absent from Internet routing and produce a
ROA for AS0 which should, theoretically, force it to be absent from
the Internet.

Then someone comes along and advertises a portion of the RIR space
larger than any allocation. Since your subnet is intentionally absent
from the Internet, that larger route draws the packets allowing a
hijack of your address space.

In essence, this means that a ROA to AS0 doesn't work as intended.

Regards,
Bill Herrin



-- 
William Herrin
bill () herrin us
https://bill.herrin.us/

Current thread:

Re: Acceptance of RPKI unknown in ROV, (continued)
- - - Re: Acceptance of RPKI unknown in ROV Aftab Siddiqui (Oct 19)
    - Re: Acceptance of RPKI unknown in ROV Randy Bush (Oct 19)
    - Re: Acceptance of RPKI unknown in ROV Fearghas Mckay (Oct 19)
    - Re: Acceptance of RPKI unknown in ROV Randy Bush (Oct 19)
    - Re: Acceptance of RPKI unknown in ROV Dale W. Carder (Oct 20)
- RPKI unknown for superprefixes of existing ROA ? Amir Herzberg (Oct 21)
  - Re: RPKI unknown for superprefixes of existing ROA ? Mark Tinka (Oct 21)
    - Re: RPKI unknown for superprefixes of existing ROA ? William Herrin (Oct 21)
    - Re: RPKI unknown for superprefixes of existing ROA ? Amir Herzberg (Oct 22)
    - Re: RPKI unknown for superprefixes of existing ROA ? Job Snijders via NANOG (Oct 22)
    - Re: RPKI unknown for superprefixes of existing ROA ? William Herrin (Oct 22)
    - Re: RPKI unknown for superprefixes of existing ROA ? William Herrin (Oct 22)
    - Re: RPKI unknown for superprefixes of existing ROA ? Tom Beecher (Oct 22)
    - Re: RPKI unknown for superprefixes of existing ROA ? William Herrin (Oct 22)
    - Re: RPKI unknown for superprefixes of existing ROA ? Tom Beecher (Oct 22)
    - Re: RPKI unknown for superprefixes of existing ROA ? William Herrin (Oct 22)
    - Re: RPKI unknown for superprefixes of existing ROA ? Tom Beecher (Oct 22)
    - Re: RPKI unknown for superprefixes of existing ROA ? Owen DeLong via NANOG (Oct 22)
    - Re: RPKI unknown for superprefixes of existing ROA ? Tom Beecher (Oct 22)
    - Re: RPKI unknown for superprefixes of existing ROA ? Amir Herzberg (Oct 22)
    - Re: RPKI unknown for superprefixes of existing ROA ? Tom Beecher (Oct 22)

(Thread continues...)