Skip to Content.
Sympa Menu

netsec-sig - Re: [Security-WG] Generating an RPKI ROA request with lots of prefixes

Subject: Internet2 Network Security SIG

List archive

Re: [Security-WG] Generating an RPKI ROA request with lots of prefixes


Chronological Thread 
  • From: "Montgomery, Douglas (Fed)" <>
  • To: " List:" <>
  • Subject: Re: [Security-WG] Generating an RPKI ROA request with lots of prefixes
  • Date: Mon, 20 Aug 2018 20:05:19 +0000
  • Accept-language: en-US
  • Authentication-results: spf=none (sender IP is ) ;
  • Ironport-phdr: 9a23:fY43NRBuIHR8A2T3Zvu5UyQJP3N1i/DPJgcQr6AfoPdwSP37osywAkXT6L1XgUPTWs2DsrQY07WQ6/iocFdDyK7JiGoFfp1IWk1NouQttCtkPvS4D1bmJuXhdS0wEZcKflZk+3amLRodQ56mNBXdrXKo8DEdBAj0OxZrKeTpAI7SiNm82/yv95HJbAhEmDiwbaluIBmqsA7cqtQYjYx+J6gr1xDHuGFIe+NYxWNpIVKcgRPx7dqu8ZBg7ipdpesv+9ZPXqvmcas4S6dYDCk9PGAu+MLrrxjDQhCR6XYaT24bjwBHAwnB7BH9Q5fxri73vfdz1SWGIcH7S60/Vjq476dvVRTmliEJOTAk+23Tk8B8kb5XrBenqhdiwYDbfZuVOeJ+cK3DYN0aWWRPUMVfVyNDDIy8bpcAAeUOMutDs4nyvF4OoQeiCQS2Bu7izCJDiH/s3a091uQsCQ/K0gsnH9IIrHTUo9L1NKIMXuCvzKjE1SjIYf1R2Tfg54jIdgouoeqRVr50ccTe11QgGwbLgl6NroHqIjSV1vkCs2ie9OdgU+Ovi3U7qw1rrTivwdksh5DPi4kIxF7E8iB5z5w0Jd2+UEN7YMCrEIdety2AMIt2WMwiTmd1syg50r0LoYC3czIWxJg6whPTduGLf5WN7xLtW+udPSt0iXdreL2imxq+7U2tx+j+W8Wp01tGtjRJn9jRunwR0hHf9NSLR/5880u/xzqDyQXe5vxLLEwokKfUN54szaAsmZcWvknMACz7lUvzgaKYdUgk9Oml5uHnb7jlvJCTLJd4ig/gPakthsCyBOE1PwcSUGWa+Omx0bzu8E7nTLpQi/A5jrPWvZHUJckeu6K1HgtY3Zol5h2iFTmpys4YkmMCLF9deBKIkYzpO1bWLf75E/qynUignCpyy/3YPLLtH4zBLn/Yn7j/Z7p97FNcyBYowtBY+pJUDKwOLOjrWk/rs9zYEgE2PBCow+bmD9V90JkSWWWSAq+FNKPStliI5uE1L+aQY48VvS7xK/kj5/HwkX80gUERcrO10ZcKbX20A+lqL1icbHrijdoNDXsGsw8wTOP3lFGOTTteanOwUq4h5Tw3EIemAp3CRoCpjryBxiC7HphOa29bDVCMDHjod4CfVvcKaSKSOdNhniYLVbimVY8tzQuuuxPiy7p7MurU/TUVtYn929dp+u3TjxAy9SB0DsiE3WCNQHp5nmcJRz8twKB/ulJxxk2C0ah+n/xXC8ZT5/VXXQcmK5LQ1fJ1BM3vWlGJQtDcAk2rSci8AC0gC80+694If0tnHdi+1FbO0zfiJ74Oi+7BTMgv/6nBxXntNoNixF7H0rUslV8rXpEJOGG70P1R7Q/WUsTslEOFmKGveL4NmGbh83qMyWOV9AF2XQIxG+2RUXcCaU7+q9Xi+gXNSKH4WudvCRdI1cPXcvgCUdbul1gTAa67Yo6Man+tm2q2GReDz6+Na4yvYWgGwSHBExVZwRsL8yOAMg4zTme6rmTSASYmNGqnYliksKFlrW+jCEo9zgWEdUpkgray5xEQrfqdUO9V0bUa628s
  • Spamdiagnosticmetadata: NSPM
  • Spamdiagnosticoutput: 1:99
A new version of the spec I mentioned earlier was just posted.

BGP RPKI-Based Origin Validation Clarifications
https://tools.ietf.org/html/draft-ietf-sidrops-ov-clarify-05

Mainly just cleaning up the wording, but if you have not read it yet, start
with the one above.

dougm
--
DougM at NIST


On 8/20/18, 1:13 PM, "Montgomery, Douglas (Fed)"
<>
wrote:

I should have provided an additional link with for the ASPA work. The
link below deals with the PATH validation aspects.
https://datatracker.ietf.org/doc/draft-azimov-sidrops-aspa-verification/

Also there is another RFC that provides a somewhat more fluid description
of RPKI validation.
https://tools.ietf.org/html/rfc6483

--
DougM at NIST


On 8/20/18, 12:49 PM, "Andrew Gallo"
<
on behalf of
>
wrote:



On 8/20/2018 11:49 AM, Larry Blunk wrote:
> On 08/20/2018 11:07 AM, Andrew Gallo wrote:
>>
>>> I'm really failing to see the big win here. It's not so much
>>> the use of maxlength that's the
>>> issue, but rather having ROA's allowing announcements of prefixes
which
>>> you do not normally announce (which are more specifics of
prefixes
>>> you normally do announce).
>>> When you use maxlength, the attacker still needs to spoof origin
AS
>>> in the AS_PATH
>>> in order to hijack a prefix. By registering a bunch of /24's
(or
>>> /48's) which
>>> are not normally announced, you still opening yourself up to
hijacks
>>> of those individual
>>> prefixes with the same type of origin AS spoofing. For most
>>> networks, hijacking a few strategic
>>> /24's or /48's will likely be just as deadly as hijacking a
larger
>>> block.
>>>
>>>
>>> -Larry Blunk
>>> Merit
>>>
>>>
>>>
>>
>> Yes, that is true, creating ROAs for all the /24s does create a
large
>> attack surface. BUT, it is still less than creating *all* the
>> prefixes between /16 and /24
>>
>> Creating a ROA that covers a /16 and all /24s is 257 prefixes,
while
>> 16-24 (inclusive) would be 511 total prefixes, some of which are
>> pretty large.
>>
>> You are correct in that this type of attack would require AS
>> spoofing, which should (hopefully) be harder.
>>
>> I think we're seeing the mismatch between real-time operational
>> changes to the routing infrastructure (changing BGP
advertisements)
>> and the non-real-time data that is used to validate it.
>>
>> We're also seeing a change in guidance from the standards bodies-
the
>> max length field was useful, but is no longer recommended.
>>
>> Good discussion all around.
>>
>>
>
> Andrew,
> I think you are missing my point. I'm not arguing for creating
> ROAs for all possible permutations
> of more specifics. I'm pointing out that by registering more
> specific ROAs for prefixes which are
> not normally announced, you are essentially opening yourself up to
the
> exact same attacks which
> are enabled by the use of maxlength (the attacks in both cases
require
> AS_PATH spoofing). What
> you are proposing is not actually a solution to the maxlength issue.
>
>
> -Larry
>
>
No, I understand your point. I wasn't actually proposing this as a
solution. Seth had asked how this could be done, so I wrote a script
to
see if it could be done, and in the process found a bug in ARIN's ROA
request submission portal, as well as a limit to the number of
prefixes
it will accept in a single ROA.

I agree creating ROAs that cover more specifics that aren't normally
announced is a risk, but it could be a requirement given the
difference
between the real-time nature of having a DDoS provider announce one
of
your subnets, and the non-real-time creation and distribution of a
ROA
to cover it. If you were forced into a position where you didn't
know
which /24 would need to be announced, or when it would need to be
announced, how would you handle it?

Right now, there doesn't seem to be a good option, though Doug has
shared some work that I wasn't aware of.









Archive powered by MHonArc 2.6.19.

Top of Page