> On Jul 11, 2024, at 11:02, t...@pelican.org wrote: > As a not-security person trying to get to grips with this, am I > mis-understanding the type of attack that this is pushing to mitigate? > My current understanding: > -Bad guys announce space for Facebook / Amazon / banks / whatever > -Some traffic for high-value destinations gets diverted to Bad Guys > -Bad Guys do Bad Things
Well… That’s kind of the generous take on it. Perhaps a more realistic scope
would be “well-intentioned-but-BGP-speaking people fat-finger their configs,
misoriginating Facebook / Amazon / banks / whatever, causing temporary chaos.”
If there were actually bad guys involved, RPKI isn’t really going to slow them
down.
Origin Path
|
Intentional |
|
____________|___________
|
RPKI lives |
Unintentional in this |
quadrant. |
> By focusing on BIAS-providers to secure *their own* routes, aren't you
> stopping the Bad Guys from hijacking eyeball space,
No, you aren't (see above), but...
> rather than high-value destination space?
…your point is, more or less, correct. For RPKI to work, the people
advertising the space have to generate ROAs, and the people receiving the space
have to validate them and use the output of the validation as a check on the
routes they integrate into their routing tables. So, both ROAs and validation
are needed on all networks that matter or care, for RPKI to help. If these
networks generate ROAs and other networks validate them, then other networks
protect themselves against misoriginated eyeball routes. If other networks
generate ROAs and these networks validate them, these eyeballs are protected
against misoriginated other (including content) routes.
> Is there a useful attack vector where the return traffic from Facebook to my
> residential CPE is diverted via the Bad Guys?
Sure, the Bad Guy could start with a downgrade and then issue you a redirect,
and then they’re fully in the middle, both directions. But, again, if there’s
anyone _intentionally_ trying to hijack routes, RPKI isn’t going to stop them
anyway. It’s like a lock on a door: a reminder for well-intentioned people.
> My instinct is that the quick win comes from high-value targets (or their
> ISPs) *generating* ROA, and ensuring that the BIAS providers are *validating*
> (ROV) that their customer traffic is going to the "real" Facebook.
Yes, that direction is more valuable.
> I'm struggling with how much issuing ROAs for residential broadband ranges
> helps with this particular problem, and why.
Well… if the basic proposition is that all safety-nets are beneficial, and
we’re not looking at cost or alternatives or the big picture, then sure, RPKI
is worth doing everywhere. The FCC isn’t particularly known for looking at
costs or alternatives or the big picture.
But this isn’t _bad_ if you aren’t too concerned about fragility, and aren’t
worried about it completely distracting people from the other three quadrants
of that matrix.
-Bill
signature.asc
Description: Message signed with OpenPGP
