Skip to Content.
Sympa Menu

netsec-sig - Re: [Security-WG] Generating an RPKI ROA request with lots of prefixes

Subject: Internet2 Network Security SIG

List archive

Re: [Security-WG] Generating an RPKI ROA request with lots of prefixes


Chronological Thread 
  • From: Larry Blunk <>
  • To:
  • Subject: Re: [Security-WG] Generating an RPKI ROA request with lots of prefixes
  • Date: Mon, 20 Aug 2018 11:49:21 -0400
  • Ironport-phdr: 9a23:9o3+5BK8yS5ahEaDR9mcpTZWNBhigK39O0sv0rFitYgRLf3xwZ3uMQTl6Ol3ixeRBMOHs6wC07KempujcFRI2YyGvnEGfc4EfD4+ouJSoTYdBtWYA1bwNv/gYn9yNs1DUFh44yPzahANS47xaFLIv3K98yMZFAnhOgppPOT1HZPZg9iq2+yo9JDffwRFiCChbb9uMR67sRjfus4KjIV4N60/0AHJonxGe+RXwWNnO1eelAvi68mz4ZBu7T1et+ou+MBcX6r6eb84TaFDAzQ9L281/szrugLdQgaJ+3ART38ZkhtMAwjC8RH6QpL8uTb0u+ZhxCWXO9D9QLYpUjqg8qhrUgflhjoZOT438G/ZicJ+g6xUrx2juxNxzJXZYJ2WOfdkYq/RYd0XSGhHU81MVyJBGIS8b44XAuQHJ+lYtZP9plsTphajAQmsGeXvyjxVjXLx2a060f8uHBrD3AM+BdIOsWjUoM/rO6gPTOC41a/FxijAYfNOwTrx9onFfgwjrPyJU7J9ctHexVUqGg7KklmctZHpMjaJ2egRqGeW6u9tWfyxh2E7sw19vCSjytsxhoTMiY8YyUrL+CZ8zYs0JtC1S1J3bNulHZdNsiyXMpZ6Tt8kTmp1oig10KcGtoS+fCUSyJQo2Rrfa/uffoiN+B3jVeKRLS55hHJ5ZL6znhmz/Va+xuLgTMW031FKri1KktnIqH8BzQDc6s+CSvdl/0eh3yiA1xzL5+1aIE04iajWJpsvwrMzjZUfrUHOEyDqlEnqkaObc1kr9vSz5OniZ7jquIGQOJNshgH7KKsum8i/AeoiMggJWmiW4eC81L/48kDiRbVFkOc2kqjFsJzAO8sUu7O5DxdP0ok/8xa/Eyum0NMAkHkcMl1KZA+Hj5LoO1HSIPH0FPm+g1u3nTdvxvDGJaHhAo7TInTZkbfhe6p95FBGyAo1099f+4xYBqsfL/3uR0+i/ODfWwQ0OBGuwvr2Tcpy/oIYRW+VBKKFauXfvULbyPgoJryobZUPqX7XL+Uj5La6iX0zsVoQZ6i1m5YbdSbrTbxdP0yFbC+00Z86GmAQs19mQQ==
On 08/20/2018 11:07 AM, Andrew Gallo wrote:

   I'm really failing to see the big win here.   It's not so much the use of maxlength that's the
issue, but rather having ROA's allowing announcements of prefixes which
you do not normally announce (which are more specifics of prefixes you normally do announce).
When you use maxlength, the attacker still needs to spoof origin AS in the AS_PATH
in order to hijack a prefix.    By registering a bunch of /24's (or /48's) which
are not normally announced, you still opening yourself up to hijacks of those individual
prefixes with the same type of origin AS spoofing.   For most networks, hijacking a few strategic
/24's or /48's will likely be just as deadly as hijacking a larger block.


 -Larry Blunk
  Merit




Yes, that is true, creating ROAs for all the /24s does create a large attack surface.  BUT, it is still less than creating *all* the prefixes between /16 and /24

Creating a ROA that covers a /16 and all /24s is 257 prefixes, while 16-24 (inclusive) would be 511 total prefixes, some of which are pretty large.

You are correct in that this type of attack would require AS spoofing, which should (hopefully) be harder.

I think we're seeing the mismatch between real-time operational changes to the routing infrastructure (changing BGP advertisements) and the non-real-time data that is used to validate it.

We're also seeing a change in guidance from the standards bodies- the max length field was useful, but is no longer recommended.

Good discussion all around.



Andrew,
   I think you are missing my point.   I'm not arguing for creating ROAs for all possible permutations
of more specifics.   I'm pointing out that by registering more specific ROAs for prefixes which are
not normally announced, you are essentially opening yourself up to the exact same attacks which
are enabled by the use of maxlength (the attacks in both cases require AS_PATH spoofing).    What
you are proposing is not actually a solution to the maxlength issue.


 -Larry



Archive powered by MHonArc 2.6.19.

Top of Page