Re: Dissecting the FCC’s Proposal to Improve BGP Security

[Bill Woodcock <woody () pch net>]

> On Jul 11, 2024, at 11:02, tim () pelican org wrote:
> As a not-security person trying to get to grips with this, am I mis-understanding the type of attack that this is 
> pushing to mitigate?
> My current understanding:
> -Bad guys announce space for Facebook / Amazon / banks / whatever
> -Some traffic for high-value destinations gets diverted to Bad Guys
> -Bad Guys do Bad Things

Well…  That’s kind of the generous take on it.  Perhaps a more realistic scope would be 
“well-intentioned-but-BGP-speaking people fat-finger their configs, misoriginating Facebook / Amazon / banks / 
whatever, causing temporary chaos.”  If there were actually bad guys involved, RPKI isn’t really going to slow them 
down.

                  Origin         Path
                            |
  Intentional               |
                            |
                ____________|___________
                            |
                RPKI lives  |
Unintentional   in this     |
                quadrant.   |


> By focusing on BIAS-providers to secure *their own* routes, aren't you stopping the Bad Guys from hijacking eyeball 
> space,

No, you aren't (see above), but...

> rather than high-value destination space?

…your point is, more or less, correct.  For RPKI to work, the people advertising the space have to generate ROAs, and 
the people receiving the space have to validate them and use the output of the validation as a check on the routes they 
integrate into their routing tables.  So, both ROAs and validation are needed on all networks that matter or care, for 
RPKI to help.  If these networks generate ROAs and other networks validate them, then other networks protect themselves 
against misoriginated eyeball routes.  If other networks generate ROAs and these networks validate them, these eyeballs 
are protected against misoriginated other (including content) routes.

>  Is there a useful attack vector where the return traffic from Facebook to my residential CPE is diverted via the Bad 
> Guys?

Sure, the Bad Guy could start with a downgrade and then issue you a redirect, and then they’re fully in the middle, 
both directions.  But, again, if there’s anyone _intentionally_ trying to hijack routes, RPKI isn’t going to stop them 
anyway.  It’s like a lock on a door: a reminder for well-intentioned people.

> My instinct is that the quick win comes from high-value targets (or their ISPs) *generating* ROA, and ensuring that 
> the BIAS providers are *validating* (ROV) that their customer traffic is going to the "real" Facebook.

Yes, that direction is more valuable.

> I'm struggling with how much issuing ROAs for residential broadband ranges helps with this particular problem, and 
> why.

Well…  if the basic proposition is that all safety-nets are beneficial, and we’re not looking at cost or alternatives 
or the big picture, then sure, RPKI is worth doing everywhere.  The FCC isn’t particularly known for looking at costs 
or alternatives or the big picture.

But this isn’t _bad_ if you aren’t too concerned about fragility, and aren’t worried about it completely distracting 
people from the other three quadrants of that matrix.

                                -Bill

Attachment: signature.asc
Description: Message signed with OpenPGP