When doing a shortest path export all hijack against ASPA, you can actually simply do an origin hijack when announcing to customers. This doesn't come up much since most attackers are not transit ASes (in which case this bug won't affect results), but for transit attackers this matters. This will be somewhat difficult to implement, since this requires attacker behavior that is unique to only the attacker, and moves this attack beyond a simple preprocessing of the announcements (which probably means that this should be moved out of the preprocess_anns funcs).
NOTE: this comes from ASPA RFC section 12, and is due to the fact that ASPA records do not include customers.
jfuruness
commented
2 months ago
When doing a shortest path export all hijack against ASPA, you can actually simply do an origin hijack when announcing to customers. This doesn't come up much since most attackers are not transit ASes (in which case this bug won't affect results), but for transit attackers this matters. This will be somewhat difficult to implement, since this requires attacker behavior that is unique to only the attacker, and moves this attack beyond a simple preprocessing of the announcements (which probably means that this should be moved out of the preprocess_anns funcs).
NOTE: this comes from ASPA RFC section 12, and is due to the fact that ASPA records do not include customers.