Internet2 Network Security SIG

[Jeff Bartig <>]

Andrew Gallo wrote on 8/20/18 10:07 AM:

   I'm really failing to see the big win here.   It's not so much the use of maxlength that's the
issue, but rather having ROA's allowing announcements of prefixes which
you do not normally announce (which are more specifics of prefixes you normally do announce).
When you use maxlength, the attacker still needs to spoof origin AS in the AS_PATH
in order to hijack a prefix.    By registering a bunch of /24's (or /48's) which
are not normally announced, you still opening yourself up to hijacks of those individual
prefixes with the same type of origin AS spoofing.   For most networks, hijacking a few strategic
/24's or /48's will likely be just as deadly as hijacking a larger block.


 -Larry Blunk
  Merit

Yes, that is true, creating ROAs for all the /24s does create a large attack surface.  BUT, it is still less than creating *all* the prefixes between /16 and /24

Creating a ROA that covers a /16 and all /24s is 257 prefixes, while 16-24 (inclusive) would be 511 total prefixes, some of which are pretty large.

You are correct in that this type of attack would require AS spoofing, which should (hopefully) be harder.

Larry makes a good point.  Is there really much difference in the attack surface here?  In both examples, the /24s really define the attack surface.  I really don't see an evil attacker giving up because they couldn't announce /23s.  If /24s can be advertised in a hijacking attack, I think that would be preferred over other shorter prefixes.

Jeff

--
Jeff Bartig
Interconnection Architect
Internet2  AS11164 / AS11537
+1-608-616-9908