Re: Understanding impact of RPKI and ROA on existing advertisements
for the 312th time. origin validation was never designed to stop attacks. it was designed to ameliorate mistakes. if you want to use the rpki to reduce attacks, use bgpsec. randy
RE: Understanding impact of RPKI and ROA on existing advertisements
There are a lot of ROAs out there that make it EASIER to hijack a route rather than harder. If you register an ROA for a route and also advertise that route in BGP, then an attacker who prepends your ASN has to at least compete with your route with an AS_PATH length and will lose in most of the Internet (but not all of it). However, if you don't advertise the route, then the attacker has nothing to compete with and his prepended route will be accepted as RPKI valid everywhere. Remember max_length in a ROA. All routes covered by that max_length will be considered valid by RPKI if the origin ASN matches. If you don't advertise them all, then you are just making it EASIER for an attacker to hijack them. For example if you have an ROA for 10.1.0.0/16, max_length 17, that includes the routes: 10.1.0.0/16 10.1.0.0/17 10.1.128.0/17 If you don't advertise all those routes in BGP, they are open to being hijacked and considered RPKI valid. OTOH, if you register the ROA as 10.1.0.0/16 max_length 16, then anyone who tries to advertise 10.1.0.0/17 will have their advertisement rejected as RPKI invalid. I'm aware that people create ROAs for more specifics in case they need to advertise them to break a hijack. But then the hijacker could just advertise the longest prefix allowed by the ROA. You can't break that with a yet more specific. Unless the user of the route is not validating with RPKI. It's a conundrum. Regards, Jakob.
Re: Understanding impact of RPKI and ROA on existing advertisements
I dont think ive every agreed with Owen this much, maybe this is the first sign the wording is ending further proving his statement :) On Wed, Nov 2, 2022 at 10:30 PM Owen DeLong via NANOG wrote: > Oh, I’m not ignoring it, I’m just rather underwhelmed by it and given how > long it took SIDRWG to get RPKI this far, > not optimistic about any of the rest of the system getting deployed prior > to IPv6 ubiquity or the end of my time on > this planet, or even before we manage to destroy the planet, whichever > comes first. > > Owen > > > > On Nov 2, 2022, at 08:30, heasley wrote: > > > > Tue, Nov 01, 2022 at 06:24:50PM -0700, Owen DeLong via NANOG: > >> RPKI/ROA is a way to cryptographically prove what someone needs to > prepend if they want to hijack your addresses. > > > > Operators should not be deterred by that comment. Owen seems to be > ignoring > > what it does achieve and that this is part of a larger system that is > still > > emerging. See IETF sidrops wg. In the interim, do your part to improve > > DFZ hygiene. > > > >> Owen > >> > >> > >>> On Oct 28, 2022, at 08:00, Samuel Jackson > wrote: > >>> > >>> Hello, > >>> I am new to RPKI/ROA and still learning about RPKI. From all my > reading on ARIN's documents I am not able to answer some of my questions. > >>> We have a public ARIN block and advertise smaller subnets from that to > our ISP's. We do not have any RPKI configs. > >>> We need to setup ROA's to take another subnet from the ARIN block to > AWS. Reading ARIN's docs, it seems I need to get setup on their Hosted RPKI > service after which I can configure ROA's for the networks I am taking to > AWS. > >>> > >>> My question is, will this impact my existing advertisements to my > ISP's. The current advertisements do not have ROA's. > >>> Will having RPKI for my ARIN network, without ROA's for the existing > advertisements impact me? > >>> > >>> Thanks for your help. > >>> > >>> Ref: > >>> https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-byoip.html > >>> https://www.arin.net/resources/manage/rpki/roa_request/ > >>> https://www.arin.net/resources/manage/rpki/hosted/ > >> > >
Re: Understanding impact of RPKI and ROA on existing advertisements
Oh, I’m not ignoring it, I’m just rather underwhelmed by it and given how long it took SIDRWG to get RPKI this far, not optimistic about any of the rest of the system getting deployed prior to IPv6 ubiquity or the end of my time on this planet, or even before we manage to destroy the planet, whichever comes first. Owen > On Nov 2, 2022, at 08:30, heasley wrote: > > Tue, Nov 01, 2022 at 06:24:50PM -0700, Owen DeLong via NANOG: >> RPKI/ROA is a way to cryptographically prove what someone needs to prepend >> if they want to hijack your addresses. > > Operators should not be deterred by that comment. Owen seems to be ignoring > what it does achieve and that this is part of a larger system that is still > emerging. See IETF sidrops wg. In the interim, do your part to improve > DFZ hygiene. > >> Owen >> >> >>> On Oct 28, 2022, at 08:00, Samuel Jackson wrote: >>> >>> Hello, >>> I am new to RPKI/ROA and still learning about RPKI. From all my reading on >>> ARIN's documents I am not able to answer some of my questions. >>> We have a public ARIN block and advertise smaller subnets from that to our >>> ISP's. We do not have any RPKI configs. >>> We need to setup ROA's to take another subnet from the ARIN block to AWS. >>> Reading ARIN's docs, it seems I need to get setup on their Hosted RPKI >>> service after which I can configure ROA's for the networks I am taking to >>> AWS. >>> >>> My question is, will this impact my existing advertisements to my ISP's. >>> The current advertisements do not have ROA's. >>> Will having RPKI for my ARIN network, without ROA's for the existing >>> advertisements impact me? >>> >>> Thanks for your help. >>> >>> Ref: >>> https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-byoip.html >>> https://www.arin.net/resources/manage/rpki/roa_request/ >>> https://www.arin.net/resources/manage/rpki/hosted/ >>
Re: Understanding impact of RPKI and ROA on existing advertisements
Tue, Nov 01, 2022 at 06:24:50PM -0700, Owen DeLong via NANOG: > RPKI/ROA is a way to cryptographically prove what someone needs to prepend if > they want to hijack your addresses. Operators should not be deterred by that comment. Owen seems to be ignoring what it does achieve and that this is part of a larger system that is still emerging. See IETF sidrops wg. In the interim, do your part to improve DFZ hygiene. > Owen > > > > On Oct 28, 2022, at 08:00, Samuel Jackson wrote: > > > > Hello, > > I am new to RPKI/ROA and still learning about RPKI. From all my reading on > > ARIN's documents I am not able to answer some of my questions. > > We have a public ARIN block and advertise smaller subnets from that to our > > ISP's. We do not have any RPKI configs. > > We need to setup ROA's to take another subnet from the ARIN block to AWS. > > Reading ARIN's docs, it seems I need to get setup on their Hosted RPKI > > service after which I can configure ROA's for the networks I am taking to > > AWS. > > > > My question is, will this impact my existing advertisements to my ISP's. > > The current advertisements do not have ROA's. > > Will having RPKI for my ARIN network, without ROA's for the existing > > advertisements impact me? > > > > Thanks for your help. > > > > Ref: > > https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-byoip.html > > https://www.arin.net/resources/manage/rpki/roa_request/ > > https://www.arin.net/resources/manage/rpki/hosted/ >
Re: Understanding impact of RPKI and ROA on existing advertisements
It's very important to specify the /24 inside the /23 for example so as you said "for all our subnets being advertised". On Tue, Nov 1, 2022 at 5:01 PM Randy Bush wrote: > > Thanks everyone for your inputs. So bottomline setup RPKI and setup ROA's > > for all our subnets being advertised. > > if the BGP advertisements are correct, then mirror them in ROAs. most, > if not all, CA UIs make that easy. > > randy >
Re: Understanding impact of RPKI and ROA on existing advertisements
RPKI/ROA is a way to cryptographically prove what someone needs to prepend if they want to hijack your addresses. Owen > On Oct 28, 2022, at 08:00, Samuel Jackson wrote: > > Hello, > I am new to RPKI/ROA and still learning about RPKI. From all my reading on > ARIN's documents I am not able to answer some of my questions. > We have a public ARIN block and advertise smaller subnets from that to our > ISP's. We do not have any RPKI configs. > We need to setup ROA's to take another subnet from the ARIN block to AWS. > Reading ARIN's docs, it seems I need to get setup on their Hosted RPKI > service after which I can configure ROA's for the networks I am taking to AWS. > > My question is, will this impact my existing advertisements to my ISP's. The > current advertisements do not have ROA's. > Will having RPKI for my ARIN network, without ROA's for the existing > advertisements impact me? > > Thanks for your help. > > Ref: > https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-byoip.html > https://www.arin.net/resources/manage/rpki/roa_request/ > https://www.arin.net/resources/manage/rpki/hosted/
Re: Understanding impact of RPKI and ROA on existing advertisements
> Thanks everyone for your inputs. So bottomline setup RPKI and setup ROA's > for all our subnets being advertised. if the BGP advertisements are correct, then mirror them in ROAs. most, if not all, CA UIs make that easy. randy
Re: Understanding impact of RPKI and ROA on existing advertisements
Thanks everyone for your inputs. So bottomline setup RPKI and setup ROA's for all our subnets being advertised. Much of this is legacy and has too many unknowns, being handed down networks without documentation also does not help. Thanks, Sam On Tue, Nov 1, 2022 at 9:07 AM heasley wrote: > Tue, Nov 01, 2022 at 12:01:46PM -0400, Jon Lewis: > > One danger with RPKI, is shooting yourself (or customers) in the foot by > > creating too general a ROA. i.e. Suppose you have an ARIN /20. You > have > > a multihomed customer to whom you've assigned a /24 from your /20. You > > create a ROA for the /20 saying your ASN is authorized to originate your > > /20. Now that customer /24 has become an RPKI-invalid, and the customer > > may find that their other provider is filtering their /24 advertisement. > > ie: you must also create roa(s) for your bgp customer's more specific(s) of > your aggregate. >
Re: Understanding impact of RPKI and ROA on existing advertisements
Tue, Nov 01, 2022 at 12:01:46PM -0400, Jon Lewis: > One danger with RPKI, is shooting yourself (or customers) in the foot by > creating too general a ROA. i.e. Suppose you have an ARIN /20. You have > a multihomed customer to whom you've assigned a /24 from your /20. You > create a ROA for the /20 saying your ASN is authorized to originate your > /20. Now that customer /24 has become an RPKI-invalid, and the customer > may find that their other provider is filtering their /24 advertisement. ie: you must also create roa(s) for your bgp customer's more specific(s) of your aggregate.
Re: Understanding impact of RPKI and ROA on existing advertisements
In general, you want to create suitable ROAs for the most specific routes that will be advertised first. Suppose you have a /20 from ARIN. You plan to take a /24 from that /20 to AWS. From what you've said, all you need is a ROA for the /24 you're taking to AWS, saying it can be originated by whatever ASN will be originating it at AWS. One danger with RPKI, is shooting yourself (or customers) in the foot by creating too general a ROA. i.e. Suppose you have an ARIN /20. You have a multihomed customer to whom you've assigned a /24 from your /20. You create a ROA for the /20 saying your ASN is authorized to originate your /20. Now that customer /24 has become an RPKI-invalid, and the customer may find that their other provider is filtering their /24 advertisement. On Tue, 1 Nov 2022, Alex Band wrote: Creating ROAs for *all* the announcements that are done with your prefixes, both on your own AS and the ones announced by AWS, is probably the best way forward from both a routing security and ease-of-management perspective. -Alex On 28 Oct 2022, at 17:00, Samuel Jackson wrote: Hello, I am new to RPKI/ROA and still learning about RPKI. From all my reading on ARIN's documents I am not able to answer some of my questions. We have a public ARIN block and advertise smaller subnets from that to our ISP's. We do not have any RPKI configs. We need to setup ROA's to take another subnet from the ARIN block to AWS. Reading ARIN's docs, it seems I need to get setup on their Hosted RPKI service after which I can configure ROA's for the networks I am taking to AWS. My question is, will this impact my existing advertisements to my ISP's. The current advertisements do not have ROA's. Will having RPKI for my ARIN network, without ROA's for the existing advertisements impact me? Thanks for your help. Ref: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-byoip.html https://www.arin.net/resources/manage/rpki/roa_request/ https://www.arin.net/resources/manage/rpki/hosted/ -- Jon Lewis, MCP :) | I route StackPath, Sr. Neteng | therefore you are _ http://www.lewis.org/~jlewis/pgp for PGP public key_
Re: Understanding impact of RPKI and ROA on existing advertisements
If the route can exist on a FIB, can exist a ROA to that. So, there is no reason to no create the ROAs. Em ter., 1 de nov. de 2022 às 11:12, Samuel Jackson escreveu: > Hello, > I am new to RPKI/ROA and still learning about RPKI. From all my reading on > ARIN's documents I am not able to answer some of my questions. > We have a public ARIN block and advertise smaller subnets from that to our > ISP's. We do not have any RPKI configs. > We need to setup ROA's to take another subnet from the ARIN block to AWS. > Reading ARIN's docs, it seems I need to get setup on their Hosted RPKI > service after which I can configure ROA's for the networks I am taking to > AWS. > > My question is, will this impact my existing advertisements to my ISP's. > The current advertisements do not have ROA's. > Will having RPKI for my ARIN network, without ROA's for the existing > advertisements impact me? > > Thanks for your help. > > Ref: > https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-byoip.html > https://www.arin.net/resources/manage/rpki/roa_request/ > https://www.arin.net/resources/manage/rpki/hosted/ > -- Douglas Fernando Fischer Engº de Controle e Automação
Re: Understanding impact of RPKI and ROA on existing advertisements
Creating ROAs for *all* the announcements that are done with your prefixes, both on your own AS and the ones announced by AWS, is probably the best way forward from both a routing security and ease-of-management perspective. -Alex > On 28 Oct 2022, at 17:00, Samuel Jackson wrote: > > Hello, > I am new to RPKI/ROA and still learning about RPKI. From all my reading on > ARIN's documents I am not able to answer some of my questions. > We have a public ARIN block and advertise smaller subnets from that to our > ISP's. We do not have any RPKI configs. > We need to setup ROA's to take another subnet from the ARIN block to AWS. > Reading ARIN's docs, it seems I need to get setup on their Hosted RPKI > service after which I can configure ROA's for the networks I am taking to AWS. > > My question is, will this impact my existing advertisements to my ISP's. The > current advertisements do not have ROA's. > Will having RPKI for my ARIN network, without ROA's for the existing > advertisements impact me? > > Thanks for your help. > > Ref: > https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-byoip.html > https://www.arin.net/resources/manage/rpki/roa_request/ > https://www.arin.net/resources/manage/rpki/hosted/
RE: Understanding impact of RPKI and ROA on existing advertisements
You may want to set this up yourself anyways. In the effort of making things work, your upstream ISP may have had to setup these records on your behalf. If not now, they may in the future. Having duplicate entries can cause unexpected results. Kevin Burke 802-540-0979 Burlington Telecom 200 Church St, Burlington, VT From: NANOG On Behalf Of Samuel Jackson Sent: Friday, October 28, 2022 11:00 AM To: nanog@nanog.org Subject: Understanding impact of RPKI and ROA on existing advertisements WARNING!! This message originated from an External Source. Please use proper judgment and caution when opening attachments, clicking links, or responding to this email. Hello, I am new to RPKI/ROA and still learning about RPKI. From all my reading on ARIN's documents I am not able to answer some of my questions. We have a public ARIN block and advertise smaller subnets from that to our ISP's. We do not have any RPKI configs. We need to setup ROA's to take another subnet from the ARIN block to AWS. Reading ARIN's docs, it seems I need to get setup on their Hosted RPKI service after which I can configure ROA's for the networks I am taking to AWS. My question is, will this impact my existing advertisements to my ISP's. The current advertisements do not have ROA's. Will having RPKI for my ARIN network, without ROA's for the existing advertisements impact me? Thanks for your help. Ref: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-byoip.html https://www.arin.net/resources/manage/rpki/roa_request/ https://www.arin.net/resources/manage/rpki/hosted/
Understanding impact of RPKI and ROA on existing advertisements
Hello, I am new to RPKI/ROA and still learning about RPKI. From all my reading on ARIN's documents I am not able to answer some of my questions. We have a public ARIN block and advertise smaller subnets from that to our ISP's. We do not have any RPKI configs. We need to setup ROA's to take another subnet from the ARIN block to AWS. Reading ARIN's docs, it seems I need to get setup on their Hosted RPKI service after which I can configure ROA's for the networks I am taking to AWS. My question is, will this impact my existing advertisements to my ISP's. The current advertisements do not have ROA's. Will having RPKI for my ARIN network, without ROA's for the existing advertisements impact me? Thanks for your help. Ref: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-byoip.html https://www.arin.net/resources/manage/rpki/roa_request/ https://www.arin.net/resources/manage/rpki/hosted/
