. On 11/10/2023 03:52, Delong.com wrote:
[...]RPKI only asserts that a specific ASN must originate a prefix. It does nothing to validate the authenticity of the origination.Nope… It ALSO asserts (or can assert) an attribute of “Maximum allowed prefix length”. E.g. if I have a ROA for AS65500 to originate 2001:db8::/32 with a “Maximum Length” attribute of /36, then any advertisement (even originated by 65500) that is longer than /36 should be considered invalid.If I am AS XX, and want to hijack a prefix from AS YY that has RPKI ROAs protecting it, and AS YY has allowed more specifics to be announced within the prefix range covered by the ROA, I'm in like flynn, because I just need to configure my router with AS YY as the origin AS, then insert the expected ASN for the neighbor adjacency with my upstreams, and bob's your uncle, the more specific prefix passes RPKI validation, and traffic comes flying my way.Yes, IF YY has allowed longer prefixes. If YY doesn’t allow longer prefixes and/or doesn’t supply AS0 ROAs for more specifics that should not be announced, then YY has indeed aimed a firearm squarely at their lower distal appendage and fired. However, IF YY is paying attention, and YY wants to advertise 2001:db8::/32 as well as allow 2001:db8:8000::/36 and 2001:db8:f000::/36, I would expect AS YY would generate ROAs for 2001:db8::/32 with ORIGIN-AS=YY MAXPREFIXLEN=36 2001:db8:0::/33 with ORIGIN-AS=0 (no MAXPREFIXLEN needed) 2001:db8:8000::/36 with ORIGIN-AS=YY MAXPREFIXLEN=36 2001:db8:9000::/35 with ORIGIN-AS=0 (no MAXPREFIXLEN needed) 2001:db8:a000::/34 with ORIGIN-AS=0 (no MAXPREFIXLEN needed) 2001:db8:c000::/34 with ORIGIN-AS=0 (no MAXPREFIXLEN needed) 2001:db8:e000::/36 with ORIGIN-AS=0 (no MAXPREFIXLEN needed) 2001:db8:f000::/36 with ORIGIN-AS=YY MAXPREFIXLEN=36
As Dale suggested in another email[1], it's better to just cover ROAs for what you are advertising. Why?
1. I can't confirm at this stage that all the implementation allows you to leave the maxLength field empty.
2. If you want to follow that logic, what you are trying to accomplish with AS0 is basically the *complement* of what you are not advertising. I believe that will be much more work and you might miss a lot of specifics. e.g : under your 2001:db8::/32 , do not forget you have 16x/36, 2x/33,4x/34,... You will have to insert statement for every single of them.
1. https://mailman.nanog.org/pipermail/nanog/2023-October/223676.html -- Willy Manga @ongolaboy https://ongola.blogspot.com/
OpenPGP_signature.asc
Description: OpenPGP digital signature
