Skip to Content.
Sympa Menu

netsec-sig - [Security-WG] BCP for Origin validation (RFC7115)

Subject: Internet2 Network Security SIG

List archive

[Security-WG] BCP for Origin validation (RFC7115)


Chronological Thread 
    < Chronological >      < Thread >
  • From: David Farmer <>
  • To:
  • Subject: [Security-WG] BCP for Origin validation (RFC7115)
  • Date: Fri, 19 Apr 2019 10:49:49 -0500
The Security Considerations of RFC7115 has the following statement in it;

   As the BGP origin AS of an update is not signed, origin validation is
   open to malicious spoofing.  Therefore, RPKI-based origin validation
   is expected to deal only with inadvertent mis-advertisement.

I think what this is saying is that the owner of a prefix could maliciously say the prefix is originated by an ASN incorrectly.  However, I don't believe the converse is true, an ASN cannot maliciously say the prefix is originated by it.

Or put another way ROAs say which ASNs originate the prefix, and they are signed by the owner of the prefix, but there is no way for an ASN to say which prefixes it originates, that is then signed by the owner of the ASN.

Do I have that right?

Thanks.


 
--
===============================================
David Farmer              
Networking & Telecommunication Services
Office of Information Technology
University of Minnesota  
2218 University Ave SE        Phone: 612-626-0815
Minneapolis, MN 55414-3029   Cell: 612-812-9952
===============================================

Archive powered by MHonArc 2.6.19.

Top of Page