Internet2 Network Security SIG

["Montgomery, Douglas (Fed)" <>]

It is well known that current RPKI-based BGP-OV is subject to forged origin 
attacks, where the attacker adds an origin AS to the path that is listed in a 
ROA.

If your ROAs are tight, it still prevents sub-prefix hijacks, it does make 
the path 1 hop longer, and it might trigger other AS-PATH filters in 
neighboring networks.

Certainly RPKI-OV would address many of the hijacks / mis originations we 
have seen to date.  What remains to be seen is of those that were actually 
intentional/malicious, how effective forged origin prepending attacks would 
be.

There are two approaches to closing the remaining vulnerabilities in PATH 
manipulations.

Full AS-PATH signing/validation (crypto on router) -
https://datatracker.ietf.org/doc/rfc8205/

or, if that is a bridge too far ... near term approach.

RPKI-based data to filter in-feasible paths -
https://datatracker.ietf.org/doc/draft-azimov-sidrops-aspa-verification/
https://datatracker.ietf.org/doc/draft-azimov-sidrops-aspa-profile/


dougm
--
Doug Montgomery, Manager Internet  & Scalable Systems Research @ NIST
 

On 4/19/19, 12:05 PM, "Brad Fleming" < on 
behalf of > wrote:

    I’m assuming it means “there’s not way to cryptographically sign the 
actual BGP update on the router and it’s easy to pretend to be any ASN; thus 
a malicious actor can still defeat RPKI-based OV. meaning OV will generally 
only protect against configuration mistakes.”
    
    Which somewhat goes with the spirit of the following paragraph:
       Origin validation does not address the problem of AS_PATH validation.
       Therefore, paths are open to manipulation, either malicious or
       accidental.
    
    So I think maybe Randy was just pointing out the two major, known 
limitations of OV; malicious actors can still hijack in at least some cases, 
and this doesn’t do anything for path-level validation.
    --
    Brad Fleming
    Assistant Director for Technology
    Kansas Research and Education Network
    
    > On Apr 19, 2019, at 10:49 AM, David Farmer <> wrote:
    > 
    > The Security Considerations of RFC7115 has the following statement in 
it;
    > 
    >    As the BGP origin AS of an update is not signed, origin validation is
    >    open to malicious spoofing.  Therefore, RPKI-based origin validation
    >    is expected to deal only with inadvertent mis-advertisement.
    > 
    > I think what this is saying is that the owner of a prefix could 
maliciously say the prefix is originated by an ASN incorrectly.  However, I 
don't believe the converse is true, an ASN cannot maliciously say the prefix 
is originated by it.
    > 
    > Or put another way ROAs say which ASNs originate the prefix, and they 
are signed by the owner of the prefix, but there is no way for an ASN to say 
which prefixes it originates, that is then signed by the owner of the ASN.
    > 
    > Do I have that right?
    > 
    > Thanks.
    > 
    > 
    >  
    > -- 
    > ===============================================
    > David Farmer               Email:
    > Networking & Telecommunication Services
    > Office of Information Technology
    > University of Minnesota   
    > 2218 University Ave SE        Phone: 612-626-0815
    > Minneapolis, MN 55414-3029   Cell: 612-812-9952
    > ===============================================