Internet2 Network Security SIG

["Spurling, Shannon" <>]

Unless there were some extension in the BGP address family to attach a signature to the original advertisement…

 

 

Shannon Spurling

 

 

From: <> On Behalf Of David Farmer
Sent: Friday, April 19, 2019 10:50 AM
To:
Subject: [Security-WG] BCP for Origin validation (RFC7115)

 

The Security Considerations of RFC7115 has the following statement in it;

   As the BGP origin AS of an update is not signed, origin validation is

   open to malicious spoofing.  Therefore, RPKI-based origin validation

   is expected to deal only with inadvertent mis-advertisement.

 

I think what this is saying is that the owner of a prefix could maliciously say the prefix is originated by an ASN incorrectly.  However, I don't believe the converse is true, an ASN cannot maliciously say the prefix is originated by it.

 

Or put another way ROAs say which ASNs originate the prefix, and they are signed by the owner of the prefix, but there is no way for an ASN to say which prefixes it originates, that is then signed by the owner of the ASN.

 

Do I have that right?

 

Thanks.

 

 

 

--

===============================================
David Farmer              
Networking & Telecommunication Services
Office of Information Technology
University of Minnesota  
2218 University Ave SE        Phone: 612-626-0815
Minneapolis, MN 55414-3029   Cell: 612-812-9952
===============================================