Skip to Content.
Sympa Menu

netsec-sig - Re: [Security-WG] Re: Internet2, MANRS and embedded security

Subject: Internet2 Network Security SIG

List archive

Re: [Security-WG] Re: Internet2, MANRS and embedded security


Chronological Thread 
  • From: Andrew Gallo <>
  • To:
  • Subject: Re: [Security-WG] Re: Internet2, MANRS and embedded security
  • Date: Thu, 16 Aug 2018 14:43:32 -0400
  • Ironport-phdr: 9a23:BZ/KbRCBz1dWJBRk0I1bUyQJP3N1i/DPJgcQr6AfoPdwSPvyocbcNUDSrc9gkEXOFd2Cra4c1ayO6+jJYi8p2d65qncMcZhBBVcuqP49uEgeOvODElDxN/XwbiY3T4xoXV5h+GynYwAOQJ6tL1LdrWev4jEMBx7xKRR6JvjvGo7Vks+7y/2+94fcbglUhTexe69+IAmrpgjNq8cahpdvJLwswRXTuHtIfOpWxWJsJV2Nmhv3+9m98p1+/SlOovwt78FPX7n0cKQ+VrxYES8pM3sp683xtBnMVhWA630BWWgLiBVIAgzF7BbnXpfttybxq+Rw1DWGMcDwULs7Xiiv4qlpRRLmkSsLKzE0+3zThsFwkK5XpRSsrAF9zYHJeoGYLOdwcL3Tfd0aRmRPUMheWCNDDYygYIUCFPYBMORCooXhu1cDoxmzCA+xD+3v0D9IgXr20LUm3uQnDA7GxhIvHtwTu3rVttr1MKMSUeeox6TP1zrDYOlZ2TP56IjPaR0hrv+NXa9qfcXP1EYvChrIg1ONooLrODOV0/4Cs2md7+d4VOKglXInqw9rrjio3McshY/EjZ8WxFDc7Sh13Yc4KcCiREJlYdOpHoFcuzybOoZ3WM8uXn9ktD4nxrEYupO3ZjUGxZUoyhLFdvCKfZKE7gzlWe2MOzl3nmhld6i6hxuq8Uiv1On8Vs6s3VZPtCVFk93MtmgX1xPO9MiIUOZy/kKg2DqRzgzT8eREIVwslabBNZEh2aQ8lpUdsETeBCP5hlj5jLKOekUl/Oin9fjnb637qpKdKoN4kB/yP6Qgl8ClHOg1MwkDU3KG9eiizLHj+Ff2QLROjv04iKnZt5XaKNwBqa62GQBV1oIj6xGkAjep3tUYgGMLI0xYdxKal4TpIU3BIOjkDfejhFShiCxryO7aMb38GJXNL2TDkbf4cbdz5E5R0w4zzdFE55JIEbENPuj/Wk73tNzEEBA5KQq0zPj7CNljzI8RR3+AArLKeJ/V5ESF7f81IvWdIZAakDf7N/U/4fPy1zk0lUJOU7Ou2M4+bnyiE+suDEydZX2k1t4OGGMOuSIxU/GshVGfB20AL02uVr4xs2loQLmtCp3OE931jQ==
Are you asking why Max Length is no longer recommended?

Here's a draft BCP that describes in detail what the problem is:
https://tools.ietf.org/id/draft-yossigi-rpkimaxlen-00.html

The short description- only cover what you know you'll advertise. If you
create a ROA covering 172.16.0.0/16-24, then every prefix is covered between
16-24, including /17, 18, etc.
An attacker could, spoofing your ASN, announce a /17 and still pass RPKI
validation. Assuming you're already advertising a /16, then you couldn't
advertise a more specific, only an equal /17.

Now, with the case of DDoS mitigation, if you could potentially redirect any
/24, then you would need to have ROAs covering all those prefixes. I wrote a
script that allows you to easily generate a ROA for all the prefixes in a
summary route.

You would still be open to the vulnerability discussed in the draft, namely,
someone spoofing your AS and advertising a covered prefix. You're still in a
better position because an attacker couldn't use intermediate masks.
If you knew only a certain number of prefixes would could be redirected to a
scrubbing service, then the recommendation is to only include those the ROA

This raises an interesting possibility. Maybe you generate a ROA allowing
your AS to originate the summary route, while the DDoS service can originate
the subnets. The risk here is that if you ever had to originate a more
specific from your own space, it wouldn't be covered.

Honestly, I think we're still in the "figuring out operational best
practices" phase.




On 8/14/2018 4:00 PM, Dale W. Carder wrote:
Thus spake Garrett, Seth B
()
on Tue, Aug 14, 2018 at 04:08:16PM +0000:
* You need to account for your DDoS scrubbing service when planning for
RPKI.
* ?Its strongly encouraged to not use the maxlength option for a
prefix. However, you need to account for smaller prefixes and/or different
ASNs the routes could be coming from when using a scrubbing service. This
can lead to rather large ROAs. Andrew Gallo I know has been doing some
testing in this area.
Can you share what your thoughts are along these lines?

Dale

--
________________________________
Andrew Gallo
The George Washington University


Archive powered by MHonArc 2.6.19.

Top of Page