The covering /20 isn’t his to announce… He has a /22. He’s announcing all 4 /24s, and may not have a legitimate place to announce the covering /22, which wouldn’t help in this case anyway.
So I’m not sure why you think that’s a solution. Owen > On Oct 22, 2023, at 10:45, Tom Beecher <beec...@beecher.cc> wrote: > >> Look again, Tom. This is an attack vector using a LESS specific route. The >> /22 gets discarded, but a covering /0-/21 would not. > > Yes. And reliant on the operator doing something exceptionally not smart to > begin with. Relying on an AS0 ROA alone and not actually announcing the > covering prefix as well isn't a good thing to do. > > On Sun, Oct 22, 2023 at 1:39 PM Owen DeLong <o...@delong.com > <mailto:o...@delong.com>> wrote: >> Look again, Tom. This is an attack vector using a LESS specific route. The >> /22 gets discarded, but a covering /0-/21 would not. >> >> Owen >> >>> On Oct 22, 2023, at 10:06, Tom Beecher <beec...@beecher.cc >>> <mailto:beec...@beecher.cc>> wrote: >>> >>> >>>> And is it your belief that this addresses the described attack vector? >>>> AFAICT, it does not. >>> >>> Quoting myself : >>> >>>> WITH the assertion that all routers in the routing domain are RPKI >>>> enabled, and discarding RPKI INVALIDs. >>> >>> In the mixed RPKI / non-RPKI environment of today's internet, no it >>> doesn't. This does not mean that RPKI is deficient, or the AS 0 ROA doesn't >>> work as intended, as was stated. >>> >>> >>> >>> On Sun, Oct 22, 2023 at 12:57 PM William Herrin <b...@herrin.us >>> <mailto:b...@herrin.us>> wrote: >>>> On Sun, Oct 22, 2023 at 9:38 AM Tom Beecher <beec...@beecher.cc >>>> <mailto:beec...@beecher.cc>> wrote: >>>> >> He's saying that someone could come along and advertise 0.0.0.0/1 >>>> >> <http://0.0.0.0/1> and >>>> >> 128.0.0.0/1 <http://128.0.0.0/1> and by doing so they'd hijack every >>>> >> unrouted address block >>>> >> regardless of the block's ROA. >>>> >> >>>> >> RPKI is unable to address this attack vector. >>>> > >>>> > >>>> > https://www.rfc-editor.org/rfc/rfc6483 >>>> > >>>> > Section 4 >>>> >> >>>> >> >>>> >> A ROA with a subject of AS 0 (AS 0 ROA) is an attestation by the >>>> >> holder of a prefix that the prefix described in the ROA, and any more >>>> >> specific prefix, should not be used in a routing context. >>>> >>>> And is it your belief that this addresses the described attack vector? >>>> AFAICT, it does not. >>>> >>>> Regards, >>>> Bill Herrin >>>> >>>> >>>> -- >>>> William Herrin >>>> b...@herrin.us <mailto:b...@herrin.us> >>>> https://bill.herrin.us/
