[190041] in North American Network Operators' Group
Re: RPKI and offline routes
daemon@ATHENA.MIT.EDU (Hugo Slabbert)
Tue Jun 14 11:57:48 2016
X-Original-To: nanog@nanog.org
Date: Tue, 14 Jun 2016 08:57:45 -0700
From: Hugo Slabbert <hugo@slabnet.com>
To: nanog@nanog.org
In-Reply-To: <alpine.WNT.2.00.1606131736280.1264@mw-PC>
Errors-To: nanog-bounces@nanog.org
--7JfCtLOvnd9MIVvH
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Mon 2016-Jun-13 17:53:45 -0500, Matthias Waehlisch <m.waehlisch@fu-berli=
n.de> wrote:
>Hi,
>
> the creation of a ROA does not require the announcement of the prefix.
>Creation of a ROA, prefix announcement, and validation of the prefix are
>decoupled. If you are the legitimate resource holder you can create a
>ROA for this prefix (even if you don't advertise the prefix). As soon as
>the prefix is advertised, third parties can validate based on the
>created ROA.
>
> However, in case the hijacker is able to use the legitimate origin
>ASN, the validation outcome would be valid. You would need to assign the
>prefix to an ASN that cannot be hijacked or is dropped for other
>reasons. (Or do BGPsec. ;)
Would this not be a valid use case for creating an ROA with origin AS 0?
RFC7607[1]
Autonomous System 0 was listed in the IANA Autonomous System Number
Registry as "Reserved - May be use [sic] to identify non-routed
networks" ([IANA.AS_Numbers][2]).
[RFC6491] specifies that AS 0 in a Route Origin Attestation (ROA) is
used to mark a prefix and all its more specific prefixes as not to be
used in a routing context. This allows a resource holder to signal
that a prefix (and the more specifics) should not be routed by
publishing a ROA listing AS 0 as the only origin. To respond to this
signal requires that BGP implementations not accept or propagate
routes containing AS 0.
RFC6491[3]
AS 0 ROA: A ROA containing a value of 0 in the ASID field.
"Validation of Route Origination Using the Resource Certificate
Public Key Infrastructure (PKI) and Route Origination Authorizations
(ROAs)" [RFC6483] states "A ROA with a subject of AS 0 (AS 0 ROA) is
an attestation by the holder of a prefix that the prefix described in
the ROA, and any more specific prefix, should not be used in a
routing context.
With the most detail in RFC6483[4].
Yes/no?
>
>=09
>Cheers
> matthias
--=20
Hugo Slabbert | email, xmpp/jabber: hugo@slabnet.com
pgp key: B178313E | also on Signal
>
>On Mon, 13 Jun 2016, Theodore Baschak wrote:
>
>> Can RPKI be used with routes that are not being advertised at the moment?
>> As in to sign a route that *could* be there, but is not there presently.
>>
>> There's been several BGP hijacks that I've followed closely that
>> involved hijacking IP space as well as the ASN that would normally
>> originate it. I'm wondering if having valid ROAs/RPKI would have
>> helped in this case or not.
>>
>>
>> Theodore Baschak - AS395089 - Hextet Systems
>>
[1]https://tools.ietf.org/html/rfc7607#section-1
[2]https://tools.ietf.org/html/rfc7607#ref-IANA.AS_Numbers
[3]https://tools.ietf.org/html/rfc6491#section-4
[4]https://tools.ietf.org/html/rfc6483#section-4
--7JfCtLOvnd9MIVvH
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
iQIcBAEBCgAGBQJXYCl5AAoJEFsnhBAb2KmAc+cP/2Lmlkkc1qsDnbEi1aALJZ41
uj2vD3aOMKVreDa71jIaeifjTKetSli6t7bJVcd0+Z+zMZ9jtHj6zEmez3TGReAL
ZNfV141NTGoR2Fl1e99Ul1dl8e9NGiSmwk1DrF1PeOeOilw+Du+HPzcgBl3dqHaQ
Ts5hhJfSdPlbyBWrWxWugttAcpoWQu+QMr1dyIGlmTJhbEiIqv65ZUYt+wPCYj+B
wd57Tq17hvBRzW4JnXvE8YJjBVvgOC5yoIX8g/kQrPJd9r2INu1rz1r/SEG8PRal
wmkcudMzFuYfZr2+RSB4BGwEVBM1T6gYDaf/jT8ScKZZ18f3lLDMbeuAuX+iy+iE
l6lBmWfB7ySGgBVPTyzwq5YVxO4TRArGCt0ZKGk79MzWzu6Ig9oJykpprz05EcbV
o7hE2n32xpBDKitNPNLb3ROP2f4khkTfD2g0tvEyz1eLe0m+HcBPQzo/wGHz/qIa
Uxdtmplv5dyWuj0sVRW1nsOmyTduCN0WMc7TJ0R4Q4A1fjUVpvcXZPHfl2sUumbS
nJ9FeutPWGyatioEIgcKsx0Ioq1tKhnI10QbPgz1t5OInpL4aNs1gW1dsPWO3ZKR
ciQN3cIjFAlhQgXeDpmiMjjw4v1dAWdUNhryab80xBxZMy9lf3Q/FIWt9QRVR3ms
8AS5AUIgvV+CoSM1HCcy
=s/r4
-----END PGP SIGNATURE-----
--7JfCtLOvnd9MIVvH--
