Internet2 Network Security SIG

["Garrett, Seth B" <>]

In its current state its a trade-off.  You're enabling valid scrubbing prefixes in a manner that exposes the least amount of surface by defining the specific prefixes rather than using maxlength.  Its well established beforehand too so you know whats in play if that does happen.

In the case of a /16 route with a bunch of /24s also in RPKI:

Invalid AS:

/16 through /24 protected in RPKI using maxlength or not.

AS Spoof:

/16 and /24s vulnerable

/17 through /23 not vulnerable

However, you're countermeasures can be to advertise your /24 back.   The attacker then has to challenge that directly.  You also do not have to generate a /24 for the entire /16 if you only have specific services you want to protect with valid scrubbed routes.  

Its not perfect, but it does create a smaller surface to attack.  The value of an organization working through this decision on how to use RPKI combined with their scrubbing service is important as well.  There is no one-size fits all here, but you walk away with 1) Using RPKI and 2) Knowing exactly how your RPKI is configured and where the weaknesses are (and why).  That is much better done before an attack than after.  

Seth Garrett
Principal Network Engineer
Indiana University

---

From: <> on behalf of Jeff Bartig <>
Sent: Monday, August 20, 2018 11:49 AM
To: ; Andrew Gallo
Subject: [External] Re: [Security-WG] Generating an RPKI ROA request with lots of prefixes

 

This message was sent from a non-IU address. Please exercise caution when clicking links or opening attachments from external sources.

Andrew Gallo wrote on 8/20/18 10:07 AM:

   I'm really failing to see the big win here.   It's not so much the use of maxlength that's the
issue, but rather having ROA's allowing announcements of prefixes which
you do not normally announce (which are more specifics of prefixes you normally do announce).
When you use maxlength, the attacker still needs to spoof origin AS in the AS_PATH
in order to hijack a prefix.    By registering a bunch of /24's (or /48's) which
are not normally announced, you still opening yourself up to hijacks of those individual
prefixes with the same type of origin AS spoofing.   For most networks, hijacking a few strategic
/24's or /48's will likely be just as deadly as hijacking a larger block.


 -Larry Blunk
  Merit

Yes, that is true, creating ROAs for all the /24s does create a large attack surface.  BUT, it is still less than creating *all* the prefixes between /16 and /24

Creating a ROA that covers a /16 and all /24s is 257 prefixes, while 16-24 (inclusive) would be 511 total prefixes, some of which are pretty large.

You are correct in that this type of attack would require AS spoofing, which should (hopefully) be harder.

Larry makes a good point.  Is there really much difference in the attack surface here?  In both examples, the /24s really define the attack surface.  I really don't see an evil attacker giving up because they couldn't announce /23s.  If /24s can be advertised in a hijacking attack, I think that would be preferred over other shorter prefixes.

Jeff

--
Jeff Bartig
Interconnection Architect
Internet2  AS11164 / AS11537
+1-608-616-9908