Baldur Norddahl писал 2020-04-21 02:49:
My company is in Europe. Lets say an attacker joins the IX in Seattle a long way from here and a place we definitely are not present at. We do however use Hurricane Electric as transit and they are peering freely at Seattle. Everyone there thus sees our prefix with an as path length of two. The attacker can originate the prefixes himself and that way his fake announcements win at Seattle by having the length 1. With RPKI he needs to use our ASN to originate and have his own ASN in between to facilitate peering. Thus the fake path also has the length of two. The real announcement wins by virtue of being the oldest announcement and the attack fails.
The situation is even worse for the attacker if he needs an IP transit company to pick up the fake announcement. We have Telia, which filters invalids, and if the attacker tries to get his fake prefix picked up by them, his path will end up being one longer than ours, so he can never succeed.
There are of course plenty of situations where the attack still succeeds. I am not claiming this is a magical bullet. Just saying it might do more than some thinks it will. Definitely better than nothing.
I think that for peering sessions regular filters can do their job more directly and effectively. But I see that discussion moved away from initial topic to general dispute about RPKI usefullness. The initial topic though initially was about public web page that claimes your network secure or insecure based on evaluation of only one technology checking one particular specially crafted prefix. Kind regards, Andrey