[AusNOG] Experiences with RPKI

Joseph Goldman joseph at goldman.id.au
Thu May 23 15:46:53 AEST 2024 

G'day list,

  In the process of rolling out RPKI - and while I thought I had a good 
grasp on everything, there is one niggling piece of information that 
I've come against and can't verify. Was hoping people can share their 
experiences.

  We are only doing our ROA's to begin with and not implementing 
validation until later, the initial thought was to create an ROA for all 
our 'supernets' and use maxLength to 24 to help cover any prefix we may 
want to advertise. We are a much simpler setup, single AS only and we do 
advertise many of our ranges down to /24 but not all of them. I do know 
of the best practices of not using maxLength based on a draft rfc doc, 
but I am personally not super concerned for our relatively small 
use-case to the issues brought up in that doc.

  Where I have come into trouble is a source (APNIC helpdesk) indicating 
that if we have any ROAs that exist for prefixes we are not directly 
advertising - it may lend some validators to mark all our routes as 
invalid?

i.e. say we had /22 ROA, 2x /23 ROAs and 4x /24 ROAs - are currently 
advertising the /22 and 2x /24's, so 2x /23's and 2x /24 ROAs are 
'unused' in that we are not advertising those specific resources - would 
that cause issues with strict validators out in the wild?

  My understanding reading through the RFC's is this should not be the 
case. If any ROA that matches the prefix for the origin AS exists it 
should be valid, regardless of other ROAs signed by the same resource 
holder etc.

  Matching ROAs to exact advertisements is great, but it seems to lend 
itself to much less flexibility in traffic engineering and failover 
scenarios - a good scenario is having dormant /24 ROAs for say a DDoS 
mitigation service to use when needed, so you dont have to wait for RPKI 
propagation before scrubbing kicks in.

  Based on your experience, is having all-encompassing (using maxLength), 
or unused ROAs an acceptable way to use RPKI or will we run into issues?

All help appreciated :)

Thanks,
Joe
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ausnog.net/pipermail/ausnog/attachments/20240523/bbec2d98/attachment.htm>

More information about the AusNOG mailing list