>>> Reject RPKI INVALID announcement 200.124.231.0/24 by AS0 > >> >> So I was wondering: >> - Did I incorrectly assume first match wins? >> - Is the reject_bogon_asns() function not working as intended? > > Hello > > bgp_path.last returns 0 if the last item is AS_SET. There are most likely > no AS0 in the path.
Thank you for your explanation. I looked into the relevant RFC to find out what is supposed to happen in cases where the final segment type is AS_SET: https://tools.ietf.org/html/rfc6811 : > o Route Origin ASN: The origin AS number derived from a Route as > follows: > > * the rightmost AS in the final segment of the AS_PATH attribute > in the Route if that segment is of type AS_SEQUENCE, or > > * the BGP speaker's own AS number if that segment is of type > AS_CONFED_SEQUENCE or AS_CONFED_SET or if the AS_PATH is empty, > or > > * the distinguished value "NONE" if the final segment of the <<<< > AS_PATH attribute is of any other type. <<<< [...] > We observe that no VRP can have the value "NONE" as its VRP ASN. > Thus, a Route whose Origin ASN is "NONE" cannot be Matched by any > VRP. Similarly, no valid Route can have an Origin ASN of zero [AS0]. > Thus, no Route can be Matched by a VRP whose ASN is zero. It looks like BIRD's mapping from "NONE" to "0" leads to the following problem and attack possibility: RPKI ROAs with an AS0 are used by address holders to state "this prefix is not in use don't accept any announcement containing it" [1]. examples: https://rpki-validator.ripe.net/roas?q=AS0 AS0 in AS_PATH is commonly filtered but the announcements in question do not actually contain any AS0 and will not be filtered. As I understand it BIRD's ROA check as seen in the documentation will return a RPKI validity state of VALID if the last AS_PATH item was of type AS_SET and the address holder created a ROA with AS0 for it. So an attacker could do the following to bypass BIRD's ROA check: - lookup prefixes for which an AS0 ROA exists - announce these prefixes using an AS_SET segment type Can you confirm that? thanks, Christoph [1] https://tools.ietf.org/html/rfc7607 : > By allowing a Resource Public Key Infrastructure (RPKI) resource > holder to issue a ROA saying that AS 0 is the only valid origin for a > route, we allow them to state that a particular address resource is > not in use.
