Re: [EXTERNAL] Re: Yet another BGP hijacking towards AS16509

[Claudio Jeker <cjeker () diehard n-r-g com>]

On Tue, Aug 23, 2022 at 08:07:29PM +0200, Job Snijders via NANOG wrote:
> On Tue, Aug 23, 2022 at 05:18:42PM +0000, Compton, Rich A wrote:
> > I was under the impression that ASPA could prevent route leaks as well
> > as path spoofing.  This "BGP Route Security Cycling to the Future!"
> > presentation from NANOG seems to indicate this is the case:
> > https://youtu.be/0Fi2ghCnXi0?t=1093 
>
> I'm not sure how ASPA can prevent AS Path spoofing. Perhaps something
> got lost in translation?
>
> ASPA records are published in the RPKI, from there a RPKI RP transforms
> the ASN.1/X.509/crypto stuff into something 'plain text'. This 'plain
> text' data is loaded into EBGP routers via RTR, which then compare the
> *plain text* AS_PATH attribute to the table of plain-text ASPA records,
> to determine if it came via an authorized upstream provider or not.
>
> In this sense, ASPA (just by itself) suffers the same challenge as RPKI
> ROA-based Origin Validation: the input (the BGP AS_PATH) is unsigned and
> unsecured; thus spoofable.

ASPA enforces that the neighbor AS appears as first element in the ASPATH.
It also disallows empty ASPATHs from eBGP sessions.  Because of this
spoofing becomes harder. The problem is that this only works for paths
that are validated by ASPA (all AS hops have been verified). An
ASPA-unknown path can still be spoofed.

Spoofing will become much harder once a critical mass of infrastructure
deployed ASPA.
-- 
:wq Claudio