Hi, On Sun, Nov 03, 2019 at 07:12:54PM +0300, Alexander Azimov wrote:
Let discuss the next scenario: there are two prefixes: x.x.0.0/24 and x.x.1.0/24, first one assigned to an ISP, second - unallocated. The proposal suggests that RIPE should create ROA with AS0 for x.x.1.0/24. Will it stop an attacker from squatting this address space?
The answer will be No. An attacker will still be able to hijack x.x.0.0/23, which will have an 'unknown' status and will be passed on, as a result finally capturing traffic for x.x.1.0/24.
This is unfortunate. But indeed, it would make this change far less effective for the cases I had in mind. So I am reconsidering and joining the "it might be somewhat beneficial, but there are more important RPKI things to fix" camp. Gert Doering -- NetMaster -- have you enabled IPv6 on something today...? SpaceNet AG Vorstand: Sebastian v. Bomhard, Michael Emmer Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279