What is a subprefix hijack and how can RPKI help reduce this risk?

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards
From $24.99Unlock all

Master RIPE BGP Security with our comprehensive test. Understand the Border Gateway Protocol, explore multiple choice questions, and get ready for your exam with detailed hints and explanations.

Multiple Choice

What is a subprefix hijack and how can RPKI help reduce this risk?

Explanation:
A subprefix hijack is when someone announces a more-specific subprefix of a legitimate BGP route, taking advantage of the fact that many routers prefer longer (more specific) prefixes. This can divert traffic away from the rightful owner to the attacker. RPKI helps reduce this risk through origin validation. Each ROA (Route Origin Authorization) ties an origin AS to a prefix with a maximum length. When a BGP route is received, validators check whether the announcing AS is authorized to originate that prefix and of what length. If the route is not authorized, or the subprefix length exceeds what the ROA allows, the route is marked not valid or is deprioritized/dropped by networks that implement strict validation. This makes it much harder for someone to use a more-specific subprefix to attract traffic, because unauthorized origins and subprefixes won't be trusted. However, if the subprefix is not covered by any ROA, or the ROA from a parent prefix allows the more-specific subprefix (via a large maxLength), RPKI won't prevent the hijack. In those cases, additional controls like prefix filtering and broader operational practices are needed to mitigate the risk.

A subprefix hijack is when someone announces a more-specific subprefix of a legitimate BGP route, taking advantage of the fact that many routers prefer longer (more specific) prefixes. This can divert traffic away from the rightful owner to the attacker.

RPKI helps reduce this risk through origin validation. Each ROA (Route Origin Authorization) ties an origin AS to a prefix with a maximum length. When a BGP route is received, validators check whether the announcing AS is authorized to originate that prefix and of what length. If the route is not authorized, or the subprefix length exceeds what the ROA allows, the route is marked not valid or is deprioritized/dropped by networks that implement strict validation. This makes it much harder for someone to use a more-specific subprefix to attract traffic, because unauthorized origins and subprefixes won't be trusted.

However, if the subprefix is not covered by any ROA, or the ROA from a parent prefix allows the more-specific subprefix (via a large maxLength), RPKI won't prevent the hijack. In those cases, additional controls like prefix filtering and broader operational practices are needed to mitigate the risk.

More Multiple Choice Questions
Subscribe

Get the latest from Examzify

You can unsubscribe at any time. Read our privacy policy