Baldur Norddahl писал 2020-04-21 02:49:
My company is in Europe. Lets say an attacker joins the IX in Seattle
a long way from here and a place we definitely are not present at. We
do however use Hurricane Electric as transit and they are peering
freely at Seattle. Everyone there thus sees our prefix with an as path
length of two. The attacker can originate the prefixes himself and
that way his fake announcements win at Seattle by having the length 1.
With RPKI he needs to use our ASN to originate and have his own ASN in
between to facilitate peering. Thus the fake path also has the length
of two. The real announcement wins by virtue of being the oldest
announcement and the attack fails.
The situation is even worse for the attacker if he needs an IP transit
company to pick up the fake announcement. We have Telia, which filters
invalids, and if the attacker tries to get his fake prefix picked up
by them, his path will end up being one longer than ours, so he can
never succeed.
There are of course plenty of situations where the attack still
succeeds. I am not claiming this is a magical bullet. Just saying it
might do more than some thinks it will. Definitely better than
nothing.
I think that for peering sessions regular filters can do their job more
directly and effectively. But I see that discussion moved away from
initial topic to general dispute about RPKI usefullness. The initial
topic though initially was about public web page that claimes your
network secure or insecure based on evaluation of only one technology
checking one particular specially crafted prefix.
Kind regards,
Andrey
