Re: RPKI unknown for superprefixes of existing ROA ?

[Tom Beecher <beecher () beecher cc>]

> And is it your belief that this addresses the described attack vector?
> AFAICT, it does not.

Quoting myself :

WITH the assertion that all routers in the routing domain are RPKI enabled,
> and discarding RPKI INVALIDs.

 In the mixed RPKI / non-RPKI environment of today's internet, no it
doesn't. This does not mean that RPKI is deficient, or the AS 0 ROA doesn't
work as intended, as was stated.



On Sun, Oct 22, 2023 at 12:57 PM William Herrin <bill () herrin us> wrote:

> On Sun, Oct 22, 2023 at 9:38 AM Tom Beecher <beecher () beecher cc> wrote:
> > > He's saying that someone could come along and advertise 0.0.0.0/1 and
> > > 128.0.0.0/1 and by doing so they'd hijack every unrouted address block
> > > regardless of the block's ROA.
> > >
> > > RPKI is unable to address this attack vector.
> >
> >
> > https://www.rfc-editor.org/rfc/rfc6483
> >
> > Section 4
> > > A ROA with a subject of AS 0 (AS 0 ROA) is an attestation by the
> > > holder of a prefix that the prefix described in the ROA, and any more
> > > specific prefix, should not be used in a routing context.
>
> And is it your belief that this addresses the described attack vector?
> AFAICT, it does not.
>
> Regards,
> Bill Herrin
>
>
> --
> William Herrin
> bill () herrin us
> https://bill.herrin.us/