Re: [routing-wg] RPKI vulnerable?
Haya Shulman wrote on Linkedin: > The closely relevant developers are those of > the different relying party implementations. Looks like there's a good chance the disclosure process will be even more messed up then the last one. Lukas -- To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit: https://lists.ripe.net/mailman/listinfo/routing-wg
Re: [routing-wg] RPKI vulnerable?
> I'd certainly hope that it isn't that you can just spoof the valid origin > AS... > > I recently had someone come to me with this *shocking* discovery and ask > about how to disclose it. This was the same person who alerted me to the > also *shocking* discovery that longest-match wins, and so just twiddling > local-pref doesn't save you. the next one will be the shocking discovery that route origin validation is not meant to deter malicious attack. and rov will not fix world hunger either. folk need to get a grip. randy -- To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit: https://lists.ripe.net/mailman/listinfo/routing-wg
[routing-wg] Weekly Global IPv4 Routing Table Report
This is an automated weekly mailing describing the state of the Global IPv4 Routing Table as seen from APNIC's router in Japan. The posting is sent to APOPS, NANOG, AfNOG, SANOG, PacNOG, SAFNOG TZNOG, MENOG, BJNOG, SDNOG, CMNOG, LACNOG and the RIPE Routing WG. Daily listings are sent to bgp-st...@lists.apnic.net. For historical data, please see https://thyme.apnic.net. If you have any comments please contact Philip Smith . IPv4 Routing Table Report 04:00 +10GMT Sat 19 Feb, 2022 BGP Table (Global) as seen in Japan. Report Website: https://thyme.apnic.net Detailed Analysis: https://thyme.apnic.net/current/ Analysis Summary BGP routing table entries examined: 888099 Prefixes after maximum aggregation (per Origin AS): 335036 Deaggregation factor: 2.65 Unique aggregates announced (without unneeded subnets): 427841 Total ASes present in the Internet Routing Table: 72856 Prefixes per ASN: 12.19 Origin-only ASes present in the Internet Routing Table: 62489 Origin ASes announcing only one prefix: 25791 Transit ASes present in the Internet Routing Table: 10367 Transit-only ASes present in the Internet Routing Table:378 Average AS path length visible in the Internet Routing Table: 4.3 Max AS path length visible: 53 Max AS path prepend of ASN (265020) 50 Prefixes from unregistered ASNs in the Routing Table: 945 Number of instances of unregistered ASNs: 949 Number of 32-bit ASNs allocated by the RIRs: 38594 Number of 32-bit ASNs visible in the Routing Table: 32152 Prefixes from 32-bit ASNs in the Routing Table: 150010 Number of bogon 32-bit ASNs visible in the Routing Table:24 Special use prefixes present in the Routing Table:1 Prefixes being announced from unallocated address space:523 Number of addresses announced to Internet: 3068725632 Equivalent to 182 /8s, 233 /16s and 9 /24s Percentage of available address space announced: 82.9 Percentage of allocated address space announced: 82.9 Percentage of available address space allocated: 100.0 Percentage of address space in use by end-sites: 99.5 Total number of prefixes smaller than registry allocations: 300697 APNIC Region Analysis Summary - Prefixes being announced by APNIC Region ASes: 232657 Total APNIC prefixes after maximum aggregation: 65852 APNIC Deaggregation factor:3.53 Prefixes being announced from the APNIC address blocks: 227464 Unique aggregates announced from the APNIC address blocks:94149 APNIC Region origin ASes present in the Internet Routing Table: 12389 APNIC Prefixes per ASN: 18.36 APNIC Region origin ASes announcing only one prefix: 3556 APNIC Region transit ASes present in the Internet Routing Table: 1715 Average APNIC Region AS path length visible:4.5 Max APNIC Region AS path length visible: 29 Number of APNIC region 32-bit ASNs visible in the Routing Table: 7585 Number of APNIC addresses announced to Internet: 773730816 Equivalent to 46 /8s, 30 /16s and 50 /24s APNIC AS Blocks4608-4864, 7467-7722, 9216-10239, 17408-18431 (pre-ERX allocations) 23552-24575, 37888-38911, 45056-46079, 55296-56319, 58368-59391, 63488-64098, 64297-64395, 131072-151865 APNIC Address Blocks 1/8, 14/8, 27/8, 36/8, 39/8, 42/8, 43/8, 49/8, 58/8, 59/8, 60/8, 61/8, 101/8, 103/8, 106/8, 110/8, 111/8, 112/8, 113/8, 114/8, 115/8, 116/8, 117/8, 118/8, 119/8, 120/8, 121/8, 122/8, 123/8, 124/8, 125/8, 126/8, 133/8, 150/8, 153/8, 163/8, 171/8, 175/8, 180/8, 182/8, 183/8, 202/8, 203/8, 210/8, 211/8, 218/8, 219/8, 220/8, 221/8, 222/8, 223/8, ARIN Region Analysis Summary Prefixes being announced by ARIN Region ASes:258735 Total ARIN prefixes after maximum aggregation: 119151 ARIN Deaggregation factor: 2.17 Prefixes being announced from the ARIN address blocks: 258933 Unique aggregates announced from the ARIN address blocks:123539 ARIN Region origin ASes present in the Internet Routing Table:18984 ARIN Prefixes per ASN:
Re: [routing-wg] RPKI vulnerable?
No, we don't, because then we'd have to more widely disclose the issue. Needs to be handled under extreme secrecy and embargoed disclosure while we design a mitigation... :-p W On Fri, Feb 18, 2022 at 9:11 AM Nick Hilliard wrote: > Warren Kumari wrote on 18/02/2022 15:02: > > This was the same person who alerted me to the also *shocking* discovery > > that longest-match wins, and so just twiddling local-pref doesn't save > you. > > Ye gods, do we have a CVE number for this? > > Nick > -- Perhaps they really do strive for incomprehensibility in their specs. After all, when the liturgy was in Latin, the laity knew their place. -- Michael Padlipsky -- To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit: https://lists.ripe.net/mailman/listinfo/routing-wg
Re: [routing-wg] RPKI vulnerable?
Warren Kumari wrote on 18/02/2022 15:02: This was the same person who alerted me to the also *shocking* discovery that longest-match wins, and so just twiddling local-pref doesn't save you. Ye gods, do we have a CVE number for this? Nick -- To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit: https://lists.ripe.net/mailman/listinfo/routing-wg
Re: [routing-wg] RPKI vulnerable?
It could also be that all 5 RIRs have trust roots for 0/0, so if you get a different RIR to sign with a different origin (including AS 0), that network is going to be unreachable at a lot of locations. Rubens On Fri, Feb 18, 2022 at 7:09 AM Job Snijders via routing-wg wrote: > > Hi all, > > It might be the case that the vulnerability is in the realm of disagreement > with some design choices of the past, rather than a traditional CVE hole in > one or more software packages. > > I found the following paper which touches upon the “assumed trust” aspect of > RPKI in the relationship between Relaying Party and Trust Anchor(s). > > https://www.researchgate.net/publication/349045074_Privacy_Preserving_and_Resilient_RPKI > > I’m very interested in discussion about cross-signing schemes. > > Kind regards, > > Job > -- > > To unsubscribe from this mailing list, get a password reminder, or change > your subscription options, please visit: > https://lists.ripe.net/mailman/listinfo/routing-wg -- To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit: https://lists.ripe.net/mailman/listinfo/routing-wg
Re: [routing-wg] RPKI vulnerable?
On Fri, Feb 18, 2022 at 4:09 AM Job Snijders via routing-wg < routing-wg@ripe.net> wrote: > Hi all, > > It might be the case that the vulnerability is in the realm of > disagreement with some design choices of the past, rather than a > traditional CVE hole in one or more software packages. > I'd certainly hope that it isn't that you can just spoof the valid origin AS... I recently had someone come to me with this *shocking* discovery and ask about how to disclose it. This was the same person who alerted me to the also *shocking* discovery that longest-match wins, and so just twiddling local-pref doesn't save you. W > I found the following paper which touches upon the “assumed trust” aspect > of RPKI in the relationship between Relaying Party and Trust Anchor(s). > > > https://www.researchgate.net/publication/349045074_Privacy_Preserving_and_Resilient_RPKI > > I’m very interested in discussion about cross-signing schemes. > > Kind regards, > > Job > -- > > To unsubscribe from this mailing list, get a password reminder, or change > your subscription options, please visit: > https://lists.ripe.net/mailman/listinfo/routing-wg > -- Perhaps they really do strive for incomprehensibility in their specs. After all, when the liturgy was in Latin, the laity knew their place. -- Michael Padlipsky -- To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit: https://lists.ripe.net/mailman/listinfo/routing-wg
Re: [routing-wg] RPKI vulnerable?
Dear Hank, > On 18 Feb 2022, at 14:34, Hank Nussbacher wrote: > > On 18/02/2022 10:54, Nathalie Trenaman wrote: >> Hi Nick, >>> On 18 Feb 2022, at 09:53, Nick Hilliard wrote: >>> >>> Hank Nussbacher wrote on 18/02/2022 07:39: We are working with large network providers and registrars on mitigating the vulnerabilities in RPKI deployments. >>> >>> Has anyone from the RIPE NCC been in contact with this group? >>> >>> Nick >> No, we haven’t. This also sparked our curiosity, so we’re trying to contact >> them. > > Haya posted on her Linkedin posting (3 hours ago) "RIPE NCC is on our list" > in response to Ivo Dijkhuis asking "Dear Haya, we would certainly appreciate > an invitation to that workshop." > > So I guess RIPE NCC needs to find out who within the NCC has been getting > Haya's emails. As I stated this morning, no-one within the RIPE NCC has received Haya’s e-mails, or any e-mails from this research group regarding this research. This is why our Senior Security Officer Ivo Dijkhuis posted that message. Kind regards, Nathalie Trenaman RIPE NCC -- To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit: https://lists.ripe.net/mailman/listinfo/routing-wg
Re: [routing-wg] RPKI vulnerable?
On 18/02/2022 10:54, Nathalie Trenaman wrote: Hi Nick, On 18 Feb 2022, at 09:53, Nick Hilliard wrote: Hank Nussbacher wrote on 18/02/2022 07:39: We are working with large network providers and registrars on mitigating the vulnerabilities in RPKI deployments. Has anyone from the RIPE NCC been in contact with this group? Nick No, we haven’t. This also sparked our curiosity, so we’re trying to contact them. Haya posted on her Linkedin posting (3 hours ago) "RIPE NCC is on our list" in response to Ivo Dijkhuis asking "Dear Haya, we would certainly appreciate an invitation to that workshop." So I guess RIPE NCC needs to find out who within the NCC has been getting Haya's emails. Regards, Hank Kind regards, Nathalie Trenaman RIPE NCC -- To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit: https://lists.ripe.net/mailman/listinfo/routing-wg
Re: [routing-wg] RPKI vulnerable?
Hello! On 2/18/22 9:54 AM, Nathalie Trenaman wrote: Hi Nick, On 18 Feb 2022, at 09:53, Nick Hilliard wrote: Hank Nussbacher wrote on 18/02/2022 07:39: We are working with large network providers and registrars on mitigating the vulnerabilities in RPKI deployments. Has anyone from the RIPE NCC been in contact with this group? Nick No, we haven’t. This also sparked our curiosity, so we’re trying to contact them. I also haven't known before so I'm trying to contact them as well. There is no info what part of RPKI infrastructure is affected and whether BIRD may be also vulnerable. Maria -- To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit: https://lists.ripe.net/mailman/listinfo/routing-wg
Re: [routing-wg] RPKI vulnerable?
Hi all, It might be the case that the vulnerability is in the realm of disagreement with some design choices of the past, rather than a traditional CVE hole in one or more software packages. I found the following paper which touches upon the “assumed trust” aspect of RPKI in the relationship between Relaying Party and Trust Anchor(s). https://www.researchgate.net/publication/349045074_Privacy_Preserving_and_Resilient_RPKI I’m very interested in discussion about cross-signing schemes. Kind regards, Job -- To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit: https://lists.ripe.net/mailman/listinfo/routing-wg
Re: [routing-wg] RPKI vulnerable?
Hi Nick, > On 18 Feb 2022, at 09:53, Nick Hilliard wrote: > > Hank Nussbacher wrote on 18/02/2022 07:39: >> We are working with large network providers and registrars on mitigating the >> vulnerabilities in RPKI deployments. > > Has anyone from the RIPE NCC been in contact with this group? > > Nick No, we haven’t. This also sparked our curiosity, so we’re trying to contact them. Kind regards, Nathalie Trenaman RIPE NCC -- To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit: https://lists.ripe.net/mailman/listinfo/routing-wg
Re: [routing-wg] RPKI vulnerable?
Hank Nussbacher wrote on 18/02/2022 07:39: We are working with large network providers and registrars on mitigating the vulnerabilities in RPKI deployments. Has anyone from the RIPE NCC been in contact with this group? Nick -- To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit: https://lists.ripe.net/mailman/listinfo/routing-wg