Look again, Tom. This is an attack vector using a LESS specific route. The /22 gets discarded, but a covering /0-/21 would not. 

Owen

On Oct 22, 2023, at 10:06, Tom Beecher <beecher@beecher.cc> wrote:



And is it your belief that this addresses the described attack vector?
AFAICT, it does not.

Quoting myself : 

WITH the assertion that all routers in the routing domain are RPKI enabled, and discarding RPKI INVALIDs.

 In the mixed RPKI / non-RPKI environment of today's internet, no it doesn't. This does not mean that RPKI is deficient, or the AS 0 ROA doesn't work as intended, as was stated.

 

On Sun, Oct 22, 2023 at 12:57 PM William Herrin <bill@herrin.us> wrote:

On Sun, Oct 22, 2023 at 9:38 AM Tom Beecher <beecher@beecher.cc> wrote:
>> He's saying that someone could come along and advertise 0.0.0.0/1 and
>> 128.0.0.0/1 and by doing so they'd hijack every unrouted address block
>> regardless of the block's ROA.
>>
>> RPKI is unable to address this attack vector.
>
>
> https://www.rfc-editor.org/rfc/rfc6483
>
> Section 4
>>
>>
>> A ROA with a subject of AS 0 (AS 0 ROA) is an attestation by the
>> holder of a prefix that the prefix described in the ROA, and any more
>> specific prefix, should not be used in a routing context.

And is it your belief that this addresses the described attack vector?
AFAICT, it does not.

Regards,
Bill Herrin


--
William Herrin
bill@herrin.us
https://bill.herrin.us/