Skip to Content.
Sympa Menu

netsec-sig - Re: [Security-WG] Re: Internet2, MANRS and embedded security

Subject: Internet2 Network Security SIG

List archive

Re: [Security-WG] Re: Internet2, MANRS and embedded security


Chronological Thread 
  • From: "Garrett, Seth B" <>
  • To: "" <>
  • Subject: Re: [Security-WG] Re: Internet2, MANRS and embedded security
  • Date: Tue, 14 Aug 2018 21:10:15 +0000
  • Accept-language: en-US
  • Ironport-phdr: 9a23:ph4jaRDPkeKDPlxxg1n7UyQJP3N1i/DPJgcQr6AfoPdwSPT/oMbcNUDSrc9gkEXOFd2Cra4c1ayO6+jJYi8p2d65qncMcZhBBVcuqP49uEgeOvODElDxN/XwbiY3T4xoXV5h+GynYwAOQJ6tL1LdrWev4jEMBx7xKRR6JvjvGo7Vks+7y/2+94fcbglUhTexe69+IAmrpgjNq8cahpdvJLwswRXTuHtIfOpWxWJsJV2Nmhv3+9m98p1+/SlOovwt78FPX7n0cKQ+VrxYES8pM3sp683xtBnMVhWA630BWWgLiBVIAgzF7BbnXpfttybxq+Rw1DWGMcDwULs5Xymp4aV2Rx/ykCoJNyA3/nzLisJ+j6xbrhCupx1jzIDbb46YL+Z+frrHcN8GWWZNQttdWipcCY28dYsPCO8BMP5Wo4f8vVQOtwG+ChewBOPz0jNDm2L40rMm0+QhDArLwQIsFM8JvXTPt9r1O70dUfqvzKbW0TXOdPJW2Srn5IfWbx8hvOiBULRtesTfzkkvEhnKjlSWqYH9PjOayPgNs2aB4+pnT+KvhGgqoBxyrDi33sogl4fEi40Pxl3F9ih12pg5KcOkREJhb9OpHoNcuzybOodoWM8uXX9ktScgxrAJpZK3ZjYGxZs/yx7RdfOKcJSE7xfmWeuePTh0mnNodbe/ihqs6ketxOjxVse63VtFtCVIl93Btn4R2xHR7MWMV+Fz8V272TmV0gDe8uFELl4wlarcM5Mh2LkwmYESsUTFBCP2hUT2jLONdkk+++io9v7rbav7qZ+BL4N0iwf+PboymsGnHOg1PAcDU3Ka9Om/zrHv41P1TKlQgvA4nKTVqJXaKt4apq69DQ9VyIEj6xOnAje9y9sYkmMILEhfeB2Zk4jkIFDOIO3iAfihnlusjS9nx+raMb35HpXNMn/Dna/6fblj90Fc1RAzzdFD55NUE70ALv3zV1T1tNzZFR85Lxe0z/j9BNV80IMeRXyAArWfMKzMrV+E+PgjLPeRa48I637BLK1v/PPlkGU4hU5YYqaB3J0LZWq+E+g8ZUiVfDCk1swMGnoQvxYvCfPloFyETTNJYXuuBeQx6ixtW6y8CoKWDK+kmqaMwDv/VqZbemAOIBrERWzieIyeQfoQQCOPZMJtj2pXBvCaV4Y92ET250fBwL19I7+M9w==
I think the general idea is to try to be as specific as possible with ROAs
regarding prefixes. Under normal circumstances 129.79.0.0/16 is one of the
prefix we advertise. When utilizing a DDoS scrubbing service we could
initiate scrubbing on a /24 from within that. Creating the ROA with
129.79.0.0/16 maxlength option of 24 is an option. The option also makes
anything between 16 and 24 valid as well. The ROA would need to be specific
for 129.79.0.0/16 and every single potential /24 to get around this. That
way only the /16 or a list of expected /24s would be valid in RPKI from AS87.
If someone accidentally or intentionally tried to advertise 129.79.0.0/17
from a different ASN it would be invalid in RPKI with or without the
maxlength set. However, by not using the maxlength option on the /16 it
would be invalid even if they tried a forged-origin hijack on the /17.

The origin ASN could change from your ASN in a legitimate DDoS scrubbing
even. That just depends on the service & scenario. That would need a ROA
allowing that ASN as well if that scenario could exist.

https://tools.ietf.org/html/draft-yossigi-rpkimaxlen-02 goes into more detail
on some of the security concerns around maxlength.

Seth Garrett
Principal Network Engineer
Indiana University

________________________________________
From:


<>
on behalf of Dale W. Carder
<>
Sent: Tuesday, August 14, 2018 4:00 PM
To:

Subject: Re: [Security-WG] Re: Internet2, MANRS and embedded security

Thus spake Garrett, Seth B
()
on Tue, Aug 14, 2018 at 04:08:16PM +0000:
> * You need to account for your DDoS scrubbing service when planning for
> RPKI.
> * ?Its strongly encouraged to not use the maxlength option for a
> prefix. However, you need to account for smaller prefixes and/or different
> ASNs the routes could be coming from when using a scrubbing service. This
> can lead to rather large ROAs. Andrew Gallo I know has been doing some
> testing in this area.

Can you share what your thoughts are along these lines?

Dale

Archive powered by MHonArc 2.6.19.

Top of Page