Thanks to Lars for this interesting input and results (which I wasn't
familiar with).
I want to mention another concern with the possible use of hyper-specific
IP prefixes, i.e., longer than /24, which I haven't seen discussed in the
thread (maybe I missed it?). Namely, if you allow say /28 announ
>
> - If origin makes a ROA only for covering prefix (say /24) then the /28
> announcement would be considered invalid by ROV and (even more likely)
> dropped. Also you get more instances of `invalid' announcements, making
> adoption of ROVs and ROAs harder.
>
AS 10 creates an ROA for X.X.X.X/24 ,
Tom, thanks. I forget to mention the problem of this case ( AS 10 creates
an ROA for X.X.X.X/24 , maxLength 28). Security-wise, this may actually be
the worst solution:
- An attacker can abuse this ROA to perform origin-hijack of the /28
subprefix, just like the origin hijack if AS 10 publishes ROA
3 matches
Mail list logo
