> > He’s announcing all 4 /24s > That's not what was described as the original situation.
Operator has prefix 1.2.4/22, but announce only 1.2.5/24 and 1.2.6/24, > with appropriate ROAs. To avoid abuse of 1.2.4/24 and 1.2.7/24, they also > make a ROA for 1.2.4/22 with AS 0. Attacker now announces 1.2.0/20, and > uses IPs in 1.2.4/24 and 1.2.7/24 to send spam etc. On Tue, Oct 24, 2023 at 8:27 PM Owen DeLong <o...@delong.com> wrote: > The covering /20 isn’t his to announce… He has a /22. He’s announcing all > 4 /24s, and may not have a legitimate place to announce the covering /22, > which wouldn’t help in this case anyway. > > So I’m not sure why you think that’s a solution. > > Owen > > > On Oct 22, 2023, at 10:45, Tom Beecher <beec...@beecher.cc> wrote: > > Look again, Tom. This is an attack vector using a LESS specific route. The >> /22 gets discarded, but a covering /0-/21 would not. >> > > Yes. And reliant on the operator doing something exceptionally not smart > to begin with. Relying on an AS0 ROA alone and not actually announcing the > covering prefix as well isn't a good thing to do. > > On Sun, Oct 22, 2023 at 1:39 PM Owen DeLong <o...@delong.com> wrote: > >> Look again, Tom. This is an attack vector using a LESS specific route. >> The /22 gets discarded, but a covering /0-/21 would not. >> >> Owen >> >> On Oct 22, 2023, at 10:06, Tom Beecher <beec...@beecher.cc> wrote: >> >> >> >>> And is it your belief that this addresses the described attack vector? >>> AFAICT, it does not. >>> >> >> Quoting myself : >> >> WITH the assertion that all routers in the routing domain are RPKI >>> enabled, and discarding RPKI INVALIDs. >>> >> >> In the mixed RPKI / non-RPKI environment of today's internet, no it >> doesn't. This does not mean that RPKI is deficient, or the AS 0 ROA doesn't >> work as intended, as was stated. >> >> >> >> On Sun, Oct 22, 2023 at 12:57 PM William Herrin <b...@herrin.us> wrote: >> >>> On Sun, Oct 22, 2023 at 9:38 AM Tom Beecher <beec...@beecher.cc> wrote: >>> >> He's saying that someone could come along and advertise 0.0.0.0/1 and >>> >> 128.0.0.0/1 and by doing so they'd hijack every unrouted address >>> block >>> >> regardless of the block's ROA. >>> >> >>> >> RPKI is unable to address this attack vector. >>> > >>> > >>> > https://www.rfc-editor.org/rfc/rfc6483 >>> > >>> > Section 4 >>> >> >>> >> >>> >> A ROA with a subject of AS 0 (AS 0 ROA) is an attestation by the >>> >> holder of a prefix that the prefix described in the ROA, and any more >>> >> specific prefix, should not be used in a routing context. >>> >>> And is it your belief that this addresses the described attack vector? >>> AFAICT, it does not. >>> >>> Regards, >>> Bill Herrin >>> >>> >>> -- >>> William Herrin >>> b...@herrin.us >>> https://bill.herrin.us/ >>> >> >
