Re: Prefix hijacking, how to prevent and fix currently
On (2014-09-02 14:44 +0000), Sriram, Kotikalapudi wrote: Hi Sriram,
Importantly, C has a created a ROA for 192.0.2.0/23 only to protect its address space, but currently *does not advertise* this prefix or any part of it. So D's more specific announcement (hijack) is 'Invalid' in this scenario but the 'Loose' mode operation would accept/install D's route. Am I right about that? If yes, that is the side effect or CON that I was trying to highlight.
Absolutely, thanks I now understood you and we're on the same page. Loose only protects routed networks, it do not protect hijacked non-routed prefixes.
Further, later in a mature stage of RPKI, when nearly all operators have implemented the paragraph I cited from RFC 7115, then routers can drop 'Loose' mode.
Yes, many may have sufficient confidence to turn off loose mode at later time. All of them would be able to gather data during loose-period about actual occurrence of false positives. Perhaps that is always 0 or at least has been 0 for past several years, this might be make it easy to give accurate data of factual business risks. -- ++ytti
participants (1)
-
Saku Ytti