[190065] in North American Network Operators' Group
Re: RPKI and offline routes
daemon@ATHENA.MIT.EDU (Jakob Heitz (jheitz))
Tue Jun 14 16:19:41 2016
X-Original-To: nanog@nanog.org
From: "Jakob Heitz (jheitz)" <jheitz@cisco.com>
To: "nanog@nanog.org" <nanog@nanog.org>
Date: Tue, 14 Jun 2016 20:19:37 +0000
Errors-To: nanog-bounces@nanog.org
ASN 0 is used for this purpose.
Look for the word "zero" in
https://tools.ietf.org/html/rfc6907
Thanks,
Jakob.
> Date: Mon, 13 Jun 2016 17:53:45 -0500 (Central Sommerzeit)
> From: Matthias Waehlisch <m.waehlisch@fu-berlin.de>
> To: Theodore Baschak <theodore@ciscodude.net>
> Cc: NANOG Operators' Group <nanog@nanog.org>
> Subject: Re: RPKI and offline routes
>=20
> Hi,
>=20
> the creation of a ROA does not require the announcement of the prefix.
> Creation of a ROA, prefix announcement, and validation of the prefix are
> decoupled. If you are the legitimate resource holder you can create a
> ROA for this prefix (even if you don't advertise the prefix). As soon as
> the prefix is advertised, third parties can validate based on the
> created ROA.
>=20
> However, in case the hijacker is able to use the legitimate origin
> ASN, the validation outcome would be valid. You would need to assign the
> prefix to an ASN that cannot be hijacked or is dropped for other
> reasons. (Or do BGPsec. ;)
>=20
>=20
> Cheers
> matthias
>=20
> On Mon, 13 Jun 2016, Theodore Baschak wrote:
>=20
> > Can RPKI be used with routes that are not being advertised at the momen=
t?
> > As in to sign a route that *could* be there, but is not there presently=
.
> >
> > There's been several BGP hijacks that I've followed closely that
> > involved hijacking IP space as well as the ASN that would normally
> > originate it. I'm wondering if having valid ROAs/RPKI would have
> > helped in this case or not.
> >
> >
> > Theodore Baschak - AS395089 - Hextet Systems
> >
