On Mon, Apr 20, 2020 at 9:09 PM Randy Bush <
randy@psg.com> wrote:
but it provides almost zero protection against malicious attack. the
attacker merely has to prepend (in the formal, not cisco display) the
'correct' origin AS to their malicious announcement.
Yes but that makes the hijacked AS path length at least 1 longer which makes it less likely that it can win over the true announcement. It is definitely better than nothing.
Also AS number filtering might be more prevalent than prefix filtering. If I know which origin ASNs I can accept from a peer and filter on that, then RPKI will prevent them from faking protected prefixes.
Regards,
Baldur