If the other AS announce the same resource, AS Path Length should be
perhaps longer will prefix length is the same.
RPKI is just here to secure resource announcement verification (ROV).
Nothing more in my own opinion. You could read this RFC for RPKI OPs :
https://tools.ietf.org/html/rfc7115.html
Verification is done using tools like Routinator or GoRTR, that fetch
Trusted Anchors Lists provided by RIR, compute them and provide RTR
protocol support for your routers to verify against ROA the BGP table
(what we called ROV).
Everything is in the excellent RPKI documentation, so you should
absolutely read it or look any presentation done on RIRs' meeting,
probably available on YouTube ;)
Le 20-08-2020 16:00, Dovid Bender a écrit :
Fabien,
Thanks. So to sum it up there is nothing stopping a bad actor from
impersonating me as if I am BGP'ing with them. It's to stop any other
AS other then mine from advertising my IP space. Is that correct? How
is verification done? They connect to the RIR and verify that there is
a cert signed by the RIR for my range?
On Thu, Aug 20, 2020 at 9:51 AM Fabien VINCENT (NaNOG) via NANOG
<nanog@nanog.org> wrote:
Hi,
In fact, RPKI does nothing about AS Path checks if it's your question.
RPKI is based on ROA where signatures are published to guarantee you're
the owner of a specific prefix with optionnal different maxLength from
your ASN.
So if the question is about if RPKI is sufficient to secure the whole
BGP path, well, it's not. RPKI guarantee / permit only to verify the
ressource announcements (IPvX block) is really owned by your ASN. But
even if it's not sufficient, we need to deploy it to start securing
resources', not the whole path.
Don't know if it replies to your question, but you can read also the
pretty good documentation on RPKI here :
https://rpki.readthedocs.io/en/latest/rpki/introduction.html or the
corresponding RFC ;)
Le 20-08-2020 15:20, Dovid Bender a écrit :
Hi,
I am sorry for the n00b question. Can someone help point me in the
right direction to understand how RPKI works? I understand that from my
side that I create a key, submit the public portion to ARIN and then
send a signed request to ARIN asking them to publish it. How do ISP's
that receive my advertisement (either directly from me, meaning my
upstreams or my upstreams upstream) verify against the cert that the
advertisement is coming from me? If say we have
Medium ISP (AS1000) -> Large ISP (AS200)
in the above case AS200 know it's peering with AS1000 so it will take
all advertisements. What's stopping AS1000 from adding a router to
their network to impersonate me, make it look like I am peering with
them and then they re-advertise the path to Large ISP?
Again sorry for the n00b question, I am trying to make sense of how it
works.
TIA.
Dovid
--
Fabien VINCENT
_@beufanet_
--
Fabien VINCENT
_@beufanet_
