Internet2 Network Security SIG

[Steven Wallace <>]

> On Apr 19, 2019, at 3:04 PM, Spurling, Shannon <> wrote:
> 
> You just need to be shorter than some... How many I2 participants prepend 
> I1 peers so traffic will better prefer I2?
> 
> S-
> 
> 
> 

That took a bit to fully sink in. I suspect many of us are prepending towards 
our transit providers, sometimes to an extreme, to maximize the benefit of 
TR-CPS. As Shannon points out that could severely handicap the transit 
providers from leveraging RPKI to prevent hijacks of our networks. I had 
thought that RPKI’s value to the transit providers is that they won’t have to 
rely on complete IRR data to filter routes from their inter-transit provider 
peering, where it’s least likely to be workable. Instead they can at least do 
origin validation so long as the resource owner created ROAs, a relatively 
low bar. But if we’re injecting two, four, a dozen, prepended origins then 
we’re effectively announcing loud-and-clear that these are subject to a 
relatively simple attack. Such an attack is more difficult than the simply 
announcing the prefix from attacker’s AS.

Attachment: smime.p7s
Description: S/MIME cryptographic signature