On Mon, Feb 21, 2022 at 02:03:18PM -0600, Matthew Hardeman wrote:
> On Mon, Feb 21, 2022 at 11:51 AM Matthias van de Meent
> <[email protected]> wrote:
> > There is RPKI, which uses a certificate/PKI-based approach to the question
> > of who is allowed to publish routes for certain prefixes. This makes
> > certain prefixes 'bgp-hijacking-proof' for some definition of 'proof': If
> > your ISP and all ISPs in between you and the client implement RPKI
> > correctly, then your route to the client is guaranteed to be authorized by
> > the owner of that prefix (excluding the possibility of key compromise).
>
> This assertion is inaccurate. RPKI ensures that the advertised prefix has
> the/an origin-as (first ASN in the AS path) as dictated by the RPKI ROA
> records. RPKI does literally nothing to ensure that the advertisement in
> question did actually occur at the behest of the stated origin. Only that
> the stated origin is one of those authorized for that prefix.
I'd like to offer some nuance to the above claim that Matthias'
assertion is inaccurate. :-)
RPKI is a multi-purpose infrastructure: through certificates and a
PKI-based approach entitlements to Internet Number Resources ("INRs" aka
IPs and ASns) are securely delegated to the INR holders.
The RPKI can be used to publish various kinds of 'Signed Objects'. One
example is ROA records. ROA records bind prefixes to Origin ASNs in BGP
(as Matthew Hardeman mentioned)... however another example of records
published through the RPKI are BGPsec Router Keys - keys which can be
used to sign & validate entire BGP AS_PATHs (which is what Matthias
alluded to "If all ISPs implemented RPKI correctly").
A third example of an application using the RPKI are GBR records (RFC
6493) which are used to publish contact details for RPKI operators. More
applications build on top of the RPKI are in development in the IETF
SIDROPS working group.
> What RPKI prevents in this case is a prefix advertisement of merely "5555
> 174" from being accepted as valid for 12.0.0.0/12. RPKI by itself will not
> stop an advertisement like "4444 5555 174" from going out, even if AS4444
> did nothing to facilitate or authorize 5555 making such an advertisement.
The use of the phrase "RPKI" in the above paragraph is imprecise, what
Matthew appears to refer to is known as RPKI-based BGP Origin Validation
(also known as "RPKI ROV", the most widely deployed and used RPKI
application).
back to the core of this thread: I'm inclined to agree with Ryan's
observations in this message:
https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/lxiA7zcKLws/m/L38QVnztAQAJ
Kind regards,
Job
--
You received this message because you are subscribed to the Google Groups
"[email protected]" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/YhP%2BdU9RSmVUaF5N%40snel.
