[rpki-deployathon] Loose or strict prefix-length
Leeuwen, Andre van anvleeuwen at libertyglobal.com
Fri Mar 22 14:20:05 CET 2019
IMHO ROAs do not protect against hijacks using AS spoofing. However there is still value in rejecting INVALIDs caused by configuration mistakes. BR, André From: rpki-deployathon [mailto:rpki-deployathon-bounces at ripe.net] On Behalf Of Mike Mulder Sent: 19 March 2019 11:31 To: rpki-deployathon at ripe.net Subject: [rpki-deployathon] Loose or strict prefix-length Hi all, We currently have a discussion about loose or strict prefix-length defined in the ROAs. What exactly is the win when you do strict? Example: we announce a /22 and in some cases a more specific /24 from that /22, no other prefixes. We have one strict ROA for /22 and 4 strict ROAs for /24 in place. In case of AS-spoofing a malicious party will announce a /24 so that announcement will be VALID. Only the announcement of the 2 /23's will be protected (INVALID) as there are no matching ROAs. If a party intends to do harm by doing AS spoofing the bad already happens. So what is the win of doing strict vs loose, besides protecting the 2 /23's? Are there other possible practical cases I am overlooking here? Thanks, Mike. -- Mike Mulder iunxi BV E: mike.mulder at iunxi.eu<mailto:mike.mulder at iunxi.eu> T: +31 (0)88 5400516 M: +31 (0)6 43165195 -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://lists.ripe.net/ripe/mail/archives/rpki-deployathon/attachments/20190322/ed4c4eae/attachment.html>