He’s announcing all 4 /24s
That's not what was described as the original situation. Operator has prefix 1.2.4/22, but announce only 1.2.5/24 and 1.2.6/24,
with appropriate ROAs. To avoid abuse of 1.2.4/24 and 1.2.7/24, they also make a ROA for 1.2.4/22 with AS 0. Attacker now announces 1.2.0/20, and uses IPs in 1.2.4/24 and 1.2.7/24 to send spam etc.
On Tue, Oct 24, 2023 at 8:27 PM Owen DeLong <owen@delong.com> wrote:
The covering /20 isn’t his to announce… He has a /22. He’s announcing all 4 /24s, and may not have a legitimate place to announce the covering /22, which wouldn’t help in this case anyway.
So I’m not sure why you think that’s a solution.
Owen
On Oct 22, 2023, at 10:45, Tom Beecher <beecher@beecher.cc> wrote:
Look again, Tom. This is an attack vector using a LESS specific route. The
/22 gets discarded, but a covering /0-/21 would not.
Yes. And reliant on the operator doing something exceptionally not smart to begin with. Relying on an AS0 ROA alone and not actually announcing the covering prefix as well isn't a good thing to do.
On Sun, Oct 22, 2023 at 1:39 PM Owen DeLong <owen@delong.com> wrote:
Look again, Tom. This is an attack vector using a LESS specific route. The /22 gets discarded, but a covering /0-/21 would not.
Owen
On Oct 22, 2023, at 10:06, Tom Beecher <beecher@beecher.cc> wrote:
And is it your belief that this addresses the described attack vector? AFAICT, it does not.
Quoting myself :
WITH the assertion that all routers in the routing domain are RPKI
enabled, and discarding RPKI INVALIDs.
In the mixed RPKI / non-RPKI environment of today's internet, no it doesn't. This does not mean that RPKI is deficient, or the AS 0 ROA doesn't work as intended, as was stated.
On Sun, Oct 22, 2023 at 12:57 PM William Herrin <bill@herrin.us> wrote:
On Sun, Oct 22, 2023 at 9:38 AM Tom Beecher <beecher@beecher.cc> wrote:
He's saying that someone could come along and advertise 0.0.0.0/1 and 128.0.0.0/1 and by doing so they'd hijack every unrouted address block regardless of the block's ROA.
RPKI is unable to address this attack vector.
https://www.rfc-editor.org/rfc/rfc6483
Section 4
A ROA with a subject of AS 0 (AS 0 ROA) is an attestation by the holder of a prefix that the prefix described in the ROA, and any more specific prefix, should not be used in a routing context.
And is it your belief that this addresses the described attack vector? AFAICT, it does not.
Regards, Bill Herrin
-- William Herrin bill@herrin.us https://bill.herrin.us/