netsec-sig - Re: [Security-WG] BCP for Origin validation (RFC7115)
Subject: Internet2 Network Security SIG
List archive
- From: John Kristoff <>
- To: David Farmer <>
- Cc: "" <>
- Subject: Re: [Security-WG] BCP for Origin validation (RFC7115)
- Date: Fri, 19 Apr 2019 22:29:16 -0500
On Fri, 19 Apr 2019 15:49:49 +0000
David Farmer <> wrote:
> As the BGP origin AS of an update is not signed, origin validation is
> open to malicious spoofing. Therefore, RPKI-based origin validation
> is expected to deal only with inadvertent mis-advertisement.
>
> I think what this is saying is that the owner of a prefix could
> maliciously say the prefix is originated by an ASN incorrectly.
All it says is that it helps limit mistakes and accidents (i.e. route
leaks). ROV alone does not and cannot protect against attacks smarter
than that. This is a known vulnerability.
The append (postpend?) is an example of a smarter attack.
John
- Re: [Security-WG] BCP for Origin validation (RFC7115), (continued)
- Re: [Security-WG] BCP for Origin validation (RFC7115), Michael H Lambert, 04/19/2019
- Re: [Security-WG] BCP for Origin validation (RFC7115), Brad Fleming, 04/19/2019
- Re: [Security-WG] BCP for Origin validation (RFC7115), Montgomery, Douglas (Fed), 04/19/2019
- Re: [Security-WG] BCP for Origin validation (RFC7115), David Farmer, 04/19/2019
- RE: [Security-WG] BCP for Origin validation (RFC7115), Spurling, Shannon, 04/19/2019
- Re: [Security-WG] [External] RE: BCP for Origin validation (RFC7115), ssw, 04/19/2019
- Re: [Security-WG] [External] RE: BCP for Origin validation (RFC7115), Spurling, Shannon, 04/19/2019
- Re: [Security-WG] [External] RE: BCP for Origin validation (RFC7115), Steven Wallace, 04/23/2019
- Re: [Security-WG] [External] RE: BCP for Origin validation (RFC7115), David Farmer, 04/23/2019
- Re: [Security-WG] [External] RE: BCP for Origin validation (RFC7115), Montgomery, Douglas (Fed), 04/23/2019
- Re: [Security-WG] [External] RE: BCP for Origin validation (RFC7115), Spurling, Shannon, 04/19/2019
- Re: [Security-WG] [External] RE: BCP for Origin validation (RFC7115), ssw, 04/19/2019
- RE: [Security-WG] BCP for Origin validation (RFC7115), Spurling, Shannon, 04/19/2019
- Re: [Security-WG] BCP for Origin validation (RFC7115), David Farmer, 04/19/2019
- Re: [Security-WG] BCP for Origin validation (RFC7115), Montgomery, Douglas (Fed), 04/19/2019
Archive powered by MHonArc 2.6.19.