Reject RPKI INVALID announcement 200.124.231.0/24 by AS0
So I was wondering: - Did I incorrectly assume first match wins? - Is the reject_bogon_asns() function not working as intended?
Hello
bgp_path.last returns 0 if the last item is AS_SET. There are most likely no AS0 in the path.
Thank you for your explanation. I looked into the relevant RFC to find out what is supposed to happen in cases where the final segment type is AS_SET: https://tools.ietf.org/html/rfc6811 :
o Route Origin ASN: The origin AS number derived from a Route as follows:
* the rightmost AS in the final segment of the AS_PATH attribute in the Route if that segment is of type AS_SEQUENCE, or
* the BGP speaker's own AS number if that segment is of type AS_CONFED_SEQUENCE or AS_CONFED_SET or if the AS_PATH is empty, or
* the distinguished value "NONE" if the final segment of the <<<< AS_PATH attribute is of any other type. <<<< [...] We observe that no VRP can have the value "NONE" as its VRP ASN. Thus, a Route whose Origin ASN is "NONE" cannot be Matched by any VRP. Similarly, no valid Route can have an Origin ASN of zero [AS0]. Thus, no Route can be Matched by a VRP whose ASN is zero.
It looks like BIRD's mapping from "NONE" to "0" leads to the following problem and attack possibility: RPKI ROAs with an AS0 are used by address holders to state "this prefix is not in use don't accept any announcement containing it" [1]. examples: https://rpki-validator.ripe.net/roas?q=AS0 AS0 in AS_PATH is commonly filtered but the announcements in question do not actually contain any AS0 and will not be filtered. As I understand it BIRD's ROA check as seen in the documentation will return a RPKI validity state of VALID if the last AS_PATH item was of type AS_SET and the address holder created a ROA with AS0 for it. So an attacker could do the following to bypass BIRD's ROA check: - lookup prefixes for which an AS0 ROA exists - announce these prefixes using an AS_SET segment type Can you confirm that? thanks, Christoph [1] https://tools.ietf.org/html/rfc7607 :
By allowing a Resource Public Key Infrastructure (RPKI) resource holder to issue a ROA saying that AS 0 is the only valid origin for a route, we allow them to state that a particular address resource is not in use.