Skip to Content.
Sympa Menu

netsec-sig - Re: [Security-WG] Generating an RPKI ROA request with lots of prefixes

Subject: Internet2 Network Security SIG

List archive

Re: [Security-WG] Generating an RPKI ROA request with lots of prefixes


Chronological Thread 
  • From: Larry Blunk <>
  • To:
  • Subject: Re: [Security-WG] Generating an RPKI ROA request with lots of prefixes
  • Date: Mon, 20 Aug 2018 10:48:16 -0400
  • Ironport-phdr: 9a23:KNBQ9B+nOVqmnv9uRHKM819IXTAuvvDOBiVQ1KB30e0cTK2v8tzYMVDF4r011RmVBduds6oMotGVmpioYXYH75eFvSJKW713fDhBt/8rmRc9CtWOE0zxIa2iRSU7GMNfSA0tpCnjYgBaF8nkelLdvGC54yIMFRXjLwp1Ifn+FpLPg8it2O2+55zebx9UiDahfLh/MAi4oQLNu8cMnIBsMLwxyhzHontJf+RZ22ZlLk+Nkhj/+8m94odt/zxftPw9+cFAV776f7kjQrxDEDsmKWE169b1uhTFUACC+2ETUmQSkhpPHgjF8BT3VYr/vyfmquZw3jSRMMvrRr42RDui9b9mRgL2hicJNzA382/ZhcJ/g61ZvB2vqAdyw5LXbYyPKPZyYq3QcNEcSGFcXshRTStBAoakYoUJFeUBJ/xYrongrFYTqRu+GA+sBODywTJPgn/237Y13v8kEQ7YxgwgHs4OvG7Ko9roKacfSOa4x7TGwzXEavNZwzb96I7Qfx87u/GMXLRwfdDXyUYxCwPJllqQqY35PzOVy+QCqHKX4PZnVeKqjWMstgJ/oiC3y8syi4TFmoAYx1XK9Sh624k5Odi1RUFnbdK4DZddsj2VO5dtTc4nRmxkpig3x7wetZKlYCQG1IkryhvQZvGEaYeF4RfuWeeSLDp7mH5ofbOyiwu3/EWl1+HwSs+520tQoCVfiNnDrHUN2gTT6seZTvt9+V+s2TOV2ADS7uFIOEE0lbbHJ5I4zb88iJQevEXZEi/5n0X2i6CWdkE69eSy9+vnZbDmqoedN49ylA7+LrwjltK+DOgkMAUDWmab9Oen27H/+ED0T6lGguErnqTcrJ/WOd8Uq6u8DgNL3Isu6g6zDzK839QZmXkHIkhFeBWCj4XxP1HOIuv3AOy6g1uyijdrxuzGMqf/DZrQM3jPiK3hcqpl605A1AozyshS54lKBb4dPfLzQE7xtMDYDxMgPQ20zP3qCNF81oMFRWKPGbGVPLnTsV+O+uIgPfOMZIkLtzbhNfQp/eDhgmIkmQxVQa78xpYcdWq5AuUjPEqxYHzwj80HHHtQ+AcyUb/EklqHBBpafWyjF4g4+zc4QNaiD43rQ423gaDH0SumSM4FLltaA0yBRC+7P76PXO0BPXqf
On 08/15/2018 01:55 PM, Andrew Gallo wrote:
Greetings, Security WG:

Seth Garrett and I have been trading some emails about creating a ROA request with a lot of prefixes.  I've written a script that can make this easier.
https://github.com/CAAREN-engineering/generateSignedROAreq

Here's the scenario and use-case:

If you have a large summary prefix, let's say an IPv4 /16, and you would like to cover this prefix AND all the /24s within it, you *could* use the Max Length feature to create a ROA request for 172.16.0.0/16-24. HOWEVER, use of Max Length field is no longer recommended (can lead to larger attack surface).

You might want ROAs covering all the constituent /24s so that they can be originated by a DDoS scrubbing service.

At this point, following best practices, you're left with entering 256 prefixes by hand in the Hosted RPKI portal.  There is another way!

You can pasted into the portal pre-formatted, pre-signed text.

ARIN's instructions are here:
https://www.arin.net/resources/rpki/roarequest.html

I wrote a script to help make this process easier.  What you'll need:
Python 3.3+
a file containing a list of prefixes you want included in the ROA (you can mix v4 and v6)
Your private key

The script will ask you some basic information needed to create the ROA request data:
Origin ASN
ROA name
Validity Start Date
Validity End Date


Let me know if you have any questions.





   I'm really failing to see the big win here.   It's not so much the use of maxlength that's the
issue, but rather having ROA's allowing announcements of prefixes which
you do not normally announce (which are more specifics of prefixes you normally do announce).
When you use maxlength, the attacker still needs to spoof origin AS in the AS_PATH
in order to hijack a prefix.    By registering a bunch of /24's (or /48's) which
are not normally announced, you still opening yourself up to hijacks of those individual
prefixes with the same type of origin AS spoofing.   For most networks, hijacking a few strategic
/24's or /48's will likely be just as deadly as hijacking a larger block.


 -Larry Blunk
  Merit




Archive powered by MHonArc 2.6.19.

Top of Page