On Mon, Feb 21, 2022 at 11:51 AM Matthias van de Meent <[email protected]> wrote:
> > There is RPKI, which uses a certificate/PKI-based approach to the question > of who is allowed to publish routes for certain prefixes. This makes > certain prefixes 'bgp-hijacking-proof' for some definition of 'proof': If > your ISP and all ISPs in between you and the client implement RPKI > correctly, then your route to the client is guaranteed to be authorized by > the owner of that prefix (excluding the possibility of key compromise). > > This assertion is inaccurate. RPKI ensures that the advertised prefix has the/an origin-as (first ASN in the AS path) as dictated by the RPKI ROA records. RPKI does literally nothing to ensure that the advertisement in question did actually occur at the behest of the stated origin. Only that the stated origin is one of those authorized for that prefix. For example: Consider a hypothetical prefix 12.0.0.0/12 with hypothetical ROA authorizing AS 4444 to advertise this. Further consider hypothetical bad actor AS 5555 with upstreams AS174 and AS6939. If AS 5555 wants to hijack this prefix, AS 5555 can synthesize a fake prepend of 4444 to their advertisement, as though they were a transit serving AS4444 and further sending that route upstream. The advertisement is thus 4444 5555 174 / 4444 5555 6939. If the upstreams consider that the best route, that will propagate. What RPKI prevents in this case is a prefix advertisement of merely "5555 174" from being accepted as valid for 12.0.0.0/12. RPKI by itself will not stop an advertisement like "4444 5555 174" from going out, even if AS4444 did nothing to facilitate or authorize 5555 making such an advertisement. -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAPAx59ESmbyNk86KQDp24rYZuCPgG%2ByTh2L5xXFYSd4mxuY3-Q%40mail.gmail.com.
