Re: RPKI unknown for superprefixes of existing ROA ?

[Tom Beecher <beecher () beecher cc>]

> He’s announcing all 4 /24s

That's not what was described as the original situation.

  Operator has prefix 1.2.4/22, but announce only 1.2.5/24 and 1.2.6/24,
> with appropriate ROAs. To avoid abuse of 1.2.4/24 and 1.2.7/24, they also
> make a ROA for 1.2.4/22 with AS 0. Attacker now announces 1.2.0/20, and
> uses IPs in 1.2.4/24 and 1.2.7/24 to send spam etc.




On Tue, Oct 24, 2023 at 8:27 PM Owen DeLong <owen () delong com> wrote:

> The covering /20 isn’t his to announce… He has a /22. He’s announcing all
> 4 /24s, and may not have a legitimate place to announce the covering /22,
> which wouldn’t help in this case anyway.
>
> So I’m not sure why you think that’s a solution.
>
> Owen
>
>
> On Oct 22, 2023, at 10:45, Tom Beecher <beecher () beecher cc> wrote:
>
> Look again, Tom. This is an attack vector using a LESS specific route. The
> > /22 gets discarded, but a covering /0-/21 would not.
>
> Yes. And reliant on the operator doing something exceptionally not smart
> to begin with.  Relying on an AS0 ROA alone and not actually announcing the
> covering prefix as well isn't a good thing to do.
>
> On Sun, Oct 22, 2023 at 1:39 PM Owen DeLong <owen () delong com> wrote:
>
> > Look again, Tom. This is an attack vector using a LESS specific route.
> > The /22 gets discarded, but a covering /0-/21 would not.
> >
> > Owen
> >
> > On Oct 22, 2023, at 10:06, Tom Beecher <beecher () beecher cc> wrote:
> >
> > 
> >
> > > And is it your belief that this addresses the described attack vector?
> > > AFAICT, it does not.
> >
> > Quoting myself :
> >
> > WITH the assertion that all routers in the routing domain are RPKI
> > > enabled, and discarding RPKI INVALIDs.
> >
> >  In the mixed RPKI / non-RPKI environment of today's internet, no it
> > doesn't. This does not mean that RPKI is deficient, or the AS 0 ROA doesn't
> > work as intended, as was stated.
> >
> >
> >
> > On Sun, Oct 22, 2023 at 12:57 PM William Herrin <bill () herrin us> wrote:
> >
> > > On Sun, Oct 22, 2023 at 9:38 AM Tom Beecher <beecher () beecher cc> wrote:
> > > > > He's saying that someone could come along and advertise 0.0.0.0/1 and
> > > > > 128.0.0.0/1 and by doing so they'd hijack every unrouted address
> > > block
> > > > > regardless of the block's ROA.
> > > > >
> > > > > RPKI is unable to address this attack vector.
> > > >
> > > >
> > > > https://www.rfc-editor.org/rfc/rfc6483
> > > >
> > > > Section 4
> > > > > A ROA with a subject of AS 0 (AS 0 ROA) is an attestation by the
> > > > > holder of a prefix that the prefix described in the ROA, and any more
> > > > > specific prefix, should not be used in a routing context.
> > >
> > > And is it your belief that this addresses the described attack vector?
> > > AFAICT, it does not.
> > >
> > > Regards,
> > > Bill Herrin
> > >
> > >
> > > --
> > > William Herrin
> > > bill () herrin us
> > > https://bill.herrin.us/