Re: RPKI and offline routes

[Matthias Waehlisch <m.waehlisch () fu-berlin de>]

Hi,

  yes.

  In this context the discussion at IETF92 might be interesting: 
https://www.ietf.org/proceedings/92/minutes/minutes-92-sidr (search for 
"Extemporaneous Presentation")


Cheers
  matthias

On Tue, 14 Jun 2016, Hugo Slabbert wrote:

> On Mon 2016-Jun-13 17:53:45 -0500, Matthias Waehlisch
> <m.waehlisch () fu-berlin de> wrote:
>
> > Hi,
> >
> >  the creation of a ROA does not require the announcement of the prefix.
> > Creation of a ROA, prefix announcement, and validation of the prefix are
> > decoupled. If you are the legitimate resource holder you can create a
> > ROA for this prefix (even if you don't advertise the prefix). As soon as
> > the prefix is advertised, third parties can validate based on the
> > created ROA.
> >
> >  However, in case the hijacker is able to use the legitimate origin
> > ASN, the validation outcome would be valid. You would need to assign the
> > prefix to an ASN that cannot be hijacked or is dropped for other
> > reasons. (Or do BGPsec. ;)
>
> Would this not be a valid use case for creating an ROA with origin AS 0?
>
> RFC7607[1]
>
>    Autonomous System 0 was listed in the IANA Autonomous System Number
>    Registry as "Reserved - May be use [sic] to identify non-routed
>    networks" ([IANA.AS_Numbers][2]).
>
>    [RFC6491] specifies that AS 0 in a Route Origin Attestation (ROA) is
>    used to mark a prefix and all its more specific prefixes as not to be
>    used in a routing context.  This allows a resource holder to signal
>    that a prefix (and the more specifics) should not be routed by
>    publishing a ROA listing AS 0 as the only origin.  To respond to this
>    signal requires that BGP implementations not accept or propagate
>    routes containing AS 0.
>
> RFC6491[3]
>
>    AS 0 ROA: A ROA containing a value of 0 in the ASID field.
>    "Validation of Route Origination Using the Resource Certificate
>    Public Key Infrastructure (PKI) and Route Origination Authorizations
>    (ROAs)" [RFC6483] states "A ROA with a subject of AS 0 (AS 0 ROA) is
>    an attestation by the holder of a prefix that the prefix described in
>    the ROA, and any more specific prefix, should not be used in a
>    routing context.
>
> With the most detail in RFC6483[4].
>
> Yes/no?
>
> >     
> > Cheers
> >  matthias