> > Look again, Tom. This is an attack vector using a LESS specific route. The > /22 gets discarded, but a covering /0-/21 would not. >
Yes. And reliant on the operator doing something exceptionally not smart to begin with. Relying on an AS0 ROA alone and not actually announcing the covering prefix as well isn't a good thing to do. On Sun, Oct 22, 2023 at 1:39 PM Owen DeLong <o...@delong.com> wrote: > Look again, Tom. This is an attack vector using a LESS specific route. The > /22 gets discarded, but a covering /0-/21 would not. > > Owen > > On Oct 22, 2023, at 10:06, Tom Beecher <beec...@beecher.cc> wrote: > > > >> And is it your belief that this addresses the described attack vector? >> AFAICT, it does not. >> > > Quoting myself : > > WITH the assertion that all routers in the routing domain are RPKI >> enabled, and discarding RPKI INVALIDs. >> > > In the mixed RPKI / non-RPKI environment of today's internet, no it > doesn't. This does not mean that RPKI is deficient, or the AS 0 ROA doesn't > work as intended, as was stated. > > > > On Sun, Oct 22, 2023 at 12:57 PM William Herrin <b...@herrin.us> wrote: > >> On Sun, Oct 22, 2023 at 9:38 AM Tom Beecher <beec...@beecher.cc> wrote: >> >> He's saying that someone could come along and advertise 0.0.0.0/1 and >> >> 128.0.0.0/1 and by doing so they'd hijack every unrouted address block >> >> regardless of the block's ROA. >> >> >> >> RPKI is unable to address this attack vector. >> > >> > >> > https://www.rfc-editor.org/rfc/rfc6483 >> > >> > Section 4 >> >> >> >> >> >> A ROA with a subject of AS 0 (AS 0 ROA) is an attestation by the >> >> holder of a prefix that the prefix described in the ROA, and any more >> >> specific prefix, should not be used in a routing context. >> >> And is it your belief that this addresses the described attack vector? >> AFAICT, it does not. >> >> Regards, >> Bill Herrin >> >> >> -- >> William Herrin >> b...@herrin.us >> https://bill.herrin.us/ >> >
