ROA = Route Origin Authorization . Origin is the key word. When you create an signed ROA and do all the publishing bits, RPKI validator software will retrieve that , validate the signature, and pass that up to routers, saying "This prefix range that originates from this ASN is valid." Then, any BGP advertisement that contains a prefix in that range, with an origin ASN that matches, is treated as valid. The intermediary as-path isn't a factor.
If another ASN ORIGINATES an announcement for your space, then RPKI routers will treat that announcement as INVALID, because that isn't authorized. If another ASN spoofs your ASN , pretending that they are your upstream, RPKI won't solve that. But that is a different problem set. On Thu, Aug 20, 2020 at 10:02 AM Dovid Bender <do...@telecurve.com> wrote: > Fabien, > > Thanks. So to sum it up there is nothing stopping a bad actor from > impersonating me as if I am BGP'ing with them. It's to stop any other AS > other then mine from advertising my IP space. Is that correct? How is > verification done? They connect to the RIR and verify that there is a cert > signed by the RIR for my range? > > > > On Thu, Aug 20, 2020 at 9:51 AM Fabien VINCENT (NaNOG) via NANOG < > nanog@nanog.org> wrote: > >> Hi, >> >> In fact, RPKI does nothing about AS Path checks if it's your question. >> RPKI is based on ROA where signatures are published to guarantee you're the >> owner of a specific prefix with optionnal different maxLength from your >> ASN. >> >> So if the question is about if RPKI is sufficient to secure the whole BGP >> path, well, it's not. RPKI guarantee / permit only to verify the ressource >> announcements (IPvX block) is really owned by your ASN. But even if it's >> not sufficient, we need to deploy it to start securing resources', not the >> whole path. >> >> Don't know if it replies to your question, but you can read also the >> pretty good documentation on RPKI here : >> https://rpki.readthedocs.io/en/latest/rpki/introduction.html or the >> corresponding RFC ;) >> >> Le 20-08-2020 15:20, Dovid Bender a écrit : >> >> Hi, >> >> I am sorry for the n00b question. Can someone help point me in the right >> direction to understand how RPKI works? I understand that from my side that >> I create a key, submit the public portion to ARIN and then send a signed >> request to ARIN asking them to publish it. How do ISP's that receive my >> advertisement (either directly from me, meaning my upstreams or my >> upstreams upstream) verify against the cert that the advertisement is >> coming from me? If say we have >> Medium ISP (AS1000) -> Large ISP (AS200) >> in the above case AS200 know it's peering with AS1000 so it will take all >> advertisements. What's stopping AS1000 from adding a router to their >> network to impersonate me, make it look like I am peering with them and >> then they re-advertise the path to Large ISP? >> >> Again sorry for the n00b question, I am trying to make sense of how it >> works. >> >> TIA. >> >> Dovid >> >> >> -- >> *Fabien VINCENT* >> *@beufanet* >> >
