> > And is it your belief that this addresses the described attack vector? > AFAICT, it does not. >
Quoting myself : WITH the assertion that all routers in the routing domain are RPKI enabled, > and discarding RPKI INVALIDs. > In the mixed RPKI / non-RPKI environment of today's internet, no it doesn't. This does not mean that RPKI is deficient, or the AS 0 ROA doesn't work as intended, as was stated. On Sun, Oct 22, 2023 at 12:57 PM William Herrin <b...@herrin.us> wrote: > On Sun, Oct 22, 2023 at 9:38 AM Tom Beecher <beec...@beecher.cc> wrote: > >> He's saying that someone could come along and advertise 0.0.0.0/1 and > >> 128.0.0.0/1 and by doing so they'd hijack every unrouted address block > >> regardless of the block's ROA. > >> > >> RPKI is unable to address this attack vector. > > > > > > https://www.rfc-editor.org/rfc/rfc6483 > > > > Section 4 > >> > >> > >> A ROA with a subject of AS 0 (AS 0 ROA) is an attestation by the > >> holder of a prefix that the prefix described in the ROA, and any more > >> specific prefix, should not be used in a routing context. > > And is it your belief that this addresses the described attack vector? > AFAICT, it does not. > > Regards, > Bill Herrin > > > -- > William Herrin > b...@herrin.us > https://bill.herrin.us/ >
