RE: Understanding impact of RPKI and ROA on existing advertisements

There are a lot of ROAs out there that make it EASIER to hijack
a route rather than harder.

If you register an ROA for a route and also advertise that route
in BGP, then an attacker who prepends your ASN has to at least
compete with your route with an AS_PATH length and will lose
in most of the Internet (but not all of it).

However, if you don't advertise the route, then the attacker has nothing
to compete with and his prepended route will be accepted as RPKI valid

Remember max_length in a ROA. All routes covered by that max_length
will be considered valid by RPKI if the origin ASN matches.
If you don't advertise them all, then you are just making it
EASIER for an attacker to hijack them.

For example if you have an ROA for, max_length 17,
that includes the routes:

If you don't advertise all those routes in BGP, they are open
to being hijacked and considered RPKI valid.

OTOH, if you register the ROA as max_length 16,
then anyone who tries to advertise will have
their advertisement rejected as RPKI invalid.

I'm aware that people create ROAs for more specifics in case
they need to advertise them to break a hijack.
But then the hijacker could just advertise the longest prefix
allowed by the ROA. You can't break that with a yet more specific.
Unless the user of the route is not validating with RPKI.

It's a conundrum.


for the 312th time. origin validation was never designed to stop
attacks. it was designed to ameliorate mistakes.

if you want to use the rpki to reduce attacks, use bgpsec.