On Nov 14, 2008, at 1:07 PM, Geoff Huston wrote:
A good example for me in thinking about this has been the YouTube
hijack at the start of this year. A salient question I asked myslef
was: what mechanisms could YouTube have used to alert relying
parties to the unauthorised advertisement of more specifics from a
different origin AS?
ROAs alone are not a good answer here, in that a ROA does not say
what is bogus.
But does the existence of a ROA, with origin authorization not
make this implicit enough?
The only way that ROAs can do this is when a relying party is
justified in assuming that _absolutely everything_ is covered by a
ROA. In a world of incremental deployment this assumption does not
hold, and therefore the absence of a ROA conveys no information at
all.
In this case BOAs can assist. Lets say that MeTube has published a
ROA to allow 10.1.0.0/16, max length=16 to be advertised from origin
AS 1, and a relying party sees an advertisement for 10.1.1.0/24
originating from AS 2 (a hijack attempt). In this case the relying
party has no grounds to assume that the /24 advertisement is bogus,
and will accept the advertisement and the hijack will be effective.
But what if MeTube also published a BOA for 10.1.0.0/16 at the same
time as the ROA. Now as a ROA "trumps" a BOA then any advertisement
for 10.1.0.0/16 with an origination of AS 1 will be regarded as
valid by a relying party, while any other use of 10.1.0.0/16 or any
more specific will be regarded as bogus.
So wouldn't this mean that in the current model everyone would publish
ROAs and BOAs? Do we really want that? Perhaps I'm missing something
here?
-danny
_______________________________________________
sidr mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/sidr
