Skip to Content.
Sympa Menu

netsec-sig - Re: [Security-WG] Generating an RPKI ROA request with lots of prefixes

Subject: Internet2 Network Security SIG

List archive

Re: [Security-WG] Generating an RPKI ROA request with lots of prefixes


Chronological Thread 
  • From: Andrew Gallo <>
  • To:
  • Subject: Re: [Security-WG] Generating an RPKI ROA request with lots of prefixes
  • Date: Mon, 20 Aug 2018 12:04:10 -0400
  • Ironport-phdr: 9a23:6ftHaxGLKbzwIA3AnfGJ1p1GYnF86YWxBRYc798ds5kLTJ78oc+wAkXT6L1XgUPTWs2DsrQY07SQ6/iocFdDyK7JiGoFfp1IWk1NouQttCtkPvS4D1bmJuXhdS0wEZcKflZk+3amLRodQ56mNBXdrXKo8DEdBAj0OxZrKeTpAI7SiNm82/yv95HJbAhEmDuwbaluIBmqsA7cqtQYjYx+J6gr1xDHuGFIe+NYxWNpIVKcgRPx7dqu8ZBg7ipdpesv+9ZPXqvmcas4S6dYDCk9PGAu+MLrrxjDQhCR6XYaT24bjwBHAwnB7BH9Q5fxri73vfdz1SWGIcH7S60/VDK/5KlpVRDokj8KOSMn/mHZisJ+j6xVrxyuqBN934HZe46VOOZkc67BYd8XS2hMU8BMXCJBGIO8aI4PAvIdMOZesob9vUUBrBWjDgetHuzvzjtIhnjr1qA9yeshHhvJ3AgkH9IJq3nbstD1O70TUeCx1qXIwjvCb+5M1Tjj9YfIbwksrPeRVrxzacrc0VQjGgLYglmKt4DoPz2Y2v4Qv2Wa7udsT/+jh3A/pw1svDSixd0ghpTIi48a0FzI6Ct0zJwrKdC+VUV1e8SrEIFKuCGfL4Z2Qt0tQ2VvuCsiz70Jo5+7fCwSyJQ92hHfdeaIfJWN4hPiSuqdOCx4hHd5eLKnnRq971OgxvfzVsi6zVZGtDRKncTRtnwV1hzT7NaISudl80u82DuDyhrf5v9ELE06j6bXNp8sz78qmpYOr0jPBir2l1/3jK+SeEUk4O+o6+H/b7r8qZ+TLYt0igX5Mqk1hMO/BP43MgkKX2SB9uS92qDj8VfnT7pXk/06irPZv4zCJcQHuq65BBdY0p095BmjEjemytUYnWUHLV5cdhOHgJPkO1XPIPDjEfe/mEqgnC1qx/DAIr3uHI/NLn7dn7f9Y7px8VBTxxcuzYMX25UBEbwKPejyRl60q9PwDxklPhayzvq9Tthxy9AwQ2WKV4afPLnfrhen7+YrJKHYbYAcvDL6A/Ug7v/qy3AmhBkQcbT/jshfU2yxAvkzexbRWnHrmNpUSWo=



On 8/20/2018 11:49 AM, Larry Blunk wrote:
On 08/20/2018 11:07 AM, Andrew Gallo wrote:

   I'm really failing to see the big win here.   It's not so much the use of maxlength that's the
issue, but rather having ROA's allowing announcements of prefixes which
you do not normally announce (which are more specifics of prefixes you normally do announce).
When you use maxlength, the attacker still needs to spoof origin AS in the AS_PATH
in order to hijack a prefix.    By registering a bunch of /24's (or /48's) which
are not normally announced, you still opening yourself up to hijacks of those individual
prefixes with the same type of origin AS spoofing.   For most networks, hijacking a few strategic
/24's or /48's will likely be just as deadly as hijacking a larger block.


 -Larry Blunk
  Merit




Yes, that is true, creating ROAs for all the /24s does create a large attack surface.  BUT, it is still less than creating *all* the prefixes between /16 and /24

Creating a ROA that covers a /16 and all /24s is 257 prefixes, while 16-24 (inclusive) would be 511 total prefixes, some of which are pretty large.

You are correct in that this type of attack would require AS spoofing, which should (hopefully) be harder.

I think we're seeing the mismatch between real-time operational changes to the routing infrastructure (changing BGP advertisements) and the non-real-time data that is used to validate it.

We're also seeing a change in guidance from the standards bodies- the max length field was useful, but is no longer recommended.

Good discussion all around.



Andrew,
   I think you are missing my point.   I'm not arguing for creating ROAs for all possible permutations
of more specifics.   I'm pointing out that by registering more specific ROAs for prefixes which are
not normally announced, you are essentially opening yourself up to the exact same attacks which
are enabled by the use of maxlength (the attacks in both cases require AS_PATH spoofing).    What
you are proposing is not actually a solution to the maxlength issue.


 -Larry


No, I understand your point.  I wasn't actually proposing this as a solution.  Seth had asked how this could be done, so I wrote a script to see if it could be done, and in the process found a bug in ARIN's ROA request submission portal, as well as a limit to the number of prefixes it will accept in a single ROA.

I agree creating ROAs that cover more specifics that aren't normally announced is a risk, but it could be a requirement given the difference between the real-time nature of having a DDoS provider announce one of your subnets, and the non-real-time creation and distribution of a ROA to cover it.  If you were forced into a position where you didn't know which /24 would need to be announced, or when it would need to be announced, how would you handle it?

Right now, there doesn't seem to be a good option, though Doug has shared some work that I wasn't aware of.




Attachment: smime.p7s
Description: S/MIME Cryptographic Signature




Archive powered by MHonArc 2.6.19.

Top of Page