I concur in full with the clarifications that Job made. I was, indeed, referring to RPKI ROV, which to my knowledge is the only application built upon RPKI with substantial in-the-field uptake at this time.
On Mon, Feb 21, 2022 at 3:04 PM Job Snijders <[email protected]> wrote: > On Mon, Feb 21, 2022 at 02:03:18PM -0600, Matthew Hardeman wrote: > > On Mon, Feb 21, 2022 at 11:51 AM Matthias van de Meent > <[email protected]> wrote: > > > There is RPKI, which uses a certificate/PKI-based approach to the > question > > > of who is allowed to publish routes for certain prefixes. This makes > > > certain prefixes 'bgp-hijacking-proof' for some definition of 'proof': > If > > > your ISP and all ISPs in between you and the client implement RPKI > > > correctly, then your route to the client is guaranteed to be > authorized by > > > the owner of that prefix (excluding the possibility of key compromise). > > > > This assertion is inaccurate. RPKI ensures that the advertised prefix has > > the/an origin-as (first ASN in the AS path) as dictated by the RPKI ROA > > records. RPKI does literally nothing to ensure that the advertisement in > > question did actually occur at the behest of the stated origin. Only that > > the stated origin is one of those authorized for that prefix. > > I'd like to offer some nuance to the above claim that Matthias' > assertion is inaccurate. :-) > > RPKI is a multi-purpose infrastructure: through certificates and a > PKI-based approach entitlements to Internet Number Resources ("INRs" aka > IPs and ASns) are securely delegated to the INR holders. > > The RPKI can be used to publish various kinds of 'Signed Objects'. One > example is ROA records. ROA records bind prefixes to Origin ASNs in BGP > (as Matthew Hardeman mentioned)... however another example of records > published through the RPKI are BGPsec Router Keys - keys which can be > used to sign & validate entire BGP AS_PATHs (which is what Matthias > alluded to "If all ISPs implemented RPKI correctly"). > > A third example of an application using the RPKI are GBR records (RFC > 6493) which are used to publish contact details for RPKI operators. More > applications build on top of the RPKI are in development in the IETF > SIDROPS working group. > > > What RPKI prevents in this case is a prefix advertisement of merely "5555 > > 174" from being accepted as valid for 12.0.0.0/12. RPKI by itself will > not > > stop an advertisement like "4444 5555 174" from going out, even if AS4444 > > did nothing to facilitate or authorize 5555 making such an advertisement. > > The use of the phrase "RPKI" in the above paragraph is imprecise, what > Matthew appears to refer to is known as RPKI-based BGP Origin Validation > (also known as "RPKI ROV", the most widely deployed and used RPKI > application). > > back to the core of this thread: I'm inclined to agree with Ryan's > observations in this message: > https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/lxiA7zcKLws/m/L38QVnztAQAJ > > Kind regards, > > Job > -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAPAx59H8NzGZ-Y0KSq%3DJgMuqZGQjz%3Dv7FpQzp%2BnvFTvwB0agNQ%40mail.gmail.com.
