Skip to Content.
Sympa Menu

netsec-sig - Re: [Security-WG] [External] RE: BCP for Origin validation (RFC7115)

Subject: Internet2 Network Security SIG

List archive

Re: [Security-WG] [External] RE: BCP for Origin validation (RFC7115)


Chronological Thread 
    < Chronological >      < Thread >
  • From: David Farmer <>
  • To:
  • Subject: Re: [Security-WG] [External] RE: BCP for Origin validation (RFC7115)
  • Date: Tue, 23 Apr 2019 16:21:03 -0500


On Tue, Apr 23, 2019 at 2:45 PM Steven Wallace <> wrote:

> On Apr 19, 2019, at 3:04 PM, Spurling, Shannon <> wrote:
>
> You just need to be shorter than some... How many I2 participants prepend I1 peers so traffic will better prefer I2?
>
> S-

That took a bit to fully sink in. I suspect many of us are prepending towards our transit providers, sometimes to an extreme, to maximize the benefit of TR-CPS. As Shannon points out that could severely handicap the transit providers from leveraging RPKI to prevent hijacks of our networks. I had thought that RPKI’s value to the transit providers is that they won’t have to rely on complete IRR data to filter routes from their inter-transit provider peering, where it’s least likely to be workable. Instead they can at least do origin validation so long as the resource owner created ROAs, a relatively low bar. But if we’re injecting two, four, a dozen, prepended origins then we’re effectively announcing loud-and-clear that these are subject to a relatively simple attack. Such an attack is more difficult than the simply announcing the prefix from attacker’s AS.

Your direct transit providers usually local preferences the routes they learn from you as a customer.  So the peers and customers of your transit providers that you prepend to have the issue you describe. However, your direct transit providers usually won't unless you de-preference your routes with BGP communities going to them. 

Also, RPKI doesn't have an AS-Set construct so you still need IRRs, there is work on AS Cones for RPKI, but it will be a while if it even ever gets fully baked.


You can also use ROAs as IRR route/route6 objects and even override IRR route objects if they conflict with a ROA.

Also, origin validation is no help if a bad guy is in the path between you and someone doing origin validation, all they have to do is artificially prepend your valid path, so their bogus path looks better.

Repeat after me "RPKI is only a start" 🤔

Thanks

--
===============================================
David Farmer              
Networking & Telecommunication Services
Office of Information Technology
University of Minnesota  
2218 University Ave SE        Phone: 612-626-0815
Minneapolis, MN 55414-3029   Cell: 612-812-9952
===============================================

Archive powered by MHonArc 2.6.19.

Top of Page