Internet2 Network Security SIG

[Andrew Gallo <>]

>    I'm really failing to see the big win here.   It's not so much the 
> use of maxlength that's the
> issue, but rather having ROA's allowing announcements of prefixes which
> you do not normally announce (which are more specifics of prefixes you 
> normally do announce).
> When you use maxlength, the attacker still needs to spoof origin AS in 
> the AS_PATH
> in order to hijack a prefix.    By registering a bunch of /24's (or 
> /48's) which
> are not normally announced, you still opening yourself up to hijacks 
> of those individual
> prefixes with the same type of origin AS spoofing.   For most 
> networks, hijacking a few strategic
> /24's or /48's will likely be just as deadly as hijacking a larger block.
>
>
>  -Larry Blunk
>   Merit

Yes, that is true, creating ROAs for all the /24s does create a large 
attack surface.  BUT, it is still less than creating *all* the prefixes 
between /16 and /24

Creating a ROA that covers a /16 and all /24s is 257 prefixes, while 
16-24 (inclusive) would be 511 total prefixes, some of which are pretty 
large.

You are correct in that this type of attack would require AS spoofing, 
which should (hopefully) be harder.

I think we're seeing the mismatch between real-time operational changes 
to the routing infrastructure (changing BGP advertisements) and the 
non-real-time data that is used to validate it.

We're also seeing a change in guidance from the standards bodies- the 
max length field was useful, but is no longer recommended.

Good discussion all around.


--
________________________________
Andrew Gallo
The George Washington University

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature