[AusNOG] Experiences with RPKI

Geoff Huston gih902 at gmail.com
Thu May 23 16:20:22 AEST 2024 

Hi Joe,

Well you are alwayus going to run into issues! All of these tools introduce novel forms of failure! :-)

In answer to you specific question, not advertising all of the prefixes for with you have ROAs will not cause any issuesa at all. When you create a ROA you, as the prefix holder, are proving an authority for the listed AS to origate that particular route. You are not making any attestation at all about any other prefixes that the AS is originating.

A few other points:

- DONT rely on the RPKI as a real time or near real time signalling method, such as a DDOS mitigation. You are relying on everyoine else performing suiper frequent checks on the state of the RPKI repositories, and while a lot of software use 2 - 10 m,inute timers there are still some tjhat operate at hourly frequency or longer. There is not standard for the polling interval.

- advertising a shorter (or is that longer?) maxlength when you are not using it does make you more vulnerawble to more specific routing attacks. Don't forget the speed of standardaziation of AS Path protection makes continental draft look speedy, and the current draft, ASPA, tends to get very confgused between topology and connectivity which make the entire process far sillier and more complex than it need be.

- in general the ROA / ROV drop tools as they exist today provide only weak resistance to determined attack. They are great tools to counter some forms of inadvertant route leaks, but without a far better form of topology protection they are little more than a veneer in terms defense against a capable adversary in a routing context. The problem is that they do represent one more task for you as a network operator and one more thing to go wrong (expired keys, badly formed ROAs, nbadly formed RPKI certificates, etc and while it might be fund to set things up initially manually yuou need to pay attention as to how you will automate the maintenance of all of this to ensure that the machinery will work smoothly when you will not be around to nurse it.

good luck!

regards,

  Geoff




> On 23 May 2024, at 3:46 PM, Joseph Goldman <joseph at goldman.id.au> wrote:
> 
> G'day list,
> 
>  In the process of rolling out RPKI - and while I thought I had a good grasp on everything, there is one niggling piece of information that I've come against and can't verify. Was hoping people can share their experiences.
> 
>  We are only doing our ROA's to begin with and not implementing validation until later, the initial thought was to create an ROA for all our 'supernets' and use maxLength to 24 to help cover any prefix we may want to advertise. We are a much simpler setup, single AS only and we do advertise many of our ranges down to /24 but not all of them. I do know of the best practices of not using maxLength based on a draft rfc doc, but I am personally not super concerned for our relatively small use-case to the issues brought up in that doc.
> 
>  Where I have come into trouble is a source (APNIC helpdesk) indicating that if we have any ROAs that exist for prefixes we are not directly advertising - it may lend some validators to mark all our routes as invalid?
> 
> i.e. say we had /22 ROA, 2x /23 ROAs and 4x /24 ROAs - are currently advertising the /22 and 2x /24's, so 2x /23's and 2x /24 ROAs are 'unused' in that we are not advertising those specific resources - would that cause issues with strict validators out in the wild?
> 
>  My understanding reading through the RFC's is this should not be the case. If any ROA that matches the prefix for the origin AS exists it should be valid, regardless of other ROAs signed by the same resource holder etc.
> 
>  Matching ROAs to exact advertisements is great, but it seems to lend itself to much less flexibility in traffic engineering and failover scenarios - a good scenario is having dormant /24 ROAs for say a DDoS mitigation service to use when needed, so you dont have to wait for RPKI propagation before scrubbing kicks in.
> 
>  Based on your experience, is having all-encompassing (using maxLength), or unused ROAs an acceptable way to use RPKI or will we run into issues?
> 
> All help appreciated :)
> 
> Thanks,
> Joe
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> https://lists.ausnog.net/mailman/listinfo/ausnog

More information about the AusNOG mailing list