[AusNOG] Experiences with RPKI
Joseph Goldman
joseph at goldman.id.au
Thu May 23 16:50:44 AEST 2024
Thank you to everyone who reached out on and off list!
I have curbed the fears of what APNIC Helpdesk told me and am confident
to continue with my original assumptions :)
------ Original Message ------
From: "Joseph Goldman" <joseph at goldman.id.au>
To: "ausnog at lists.ausnog.net" <ausnog at lists.ausnog.net>
Sent: 23/05/2024 3:46:53 PM
Subject: [AusNOG] Experiences with RPKI
>G'day list,
>
> In the process of rolling out RPKI - and while I thought I had a good
>grasp on everything, there is one niggling piece of information that
>I've come against and can't verify. Was hoping people can share their
>experiences.
>
> We are only doing our ROA's to begin with and not implementing
>validation until later, the initial thought was to create an ROA for
>all our 'supernets' and use maxLength to 24 to help cover any prefix we
>may want to advertise. We are a much simpler setup, single AS only and
>we do advertise many of our ranges down to /24 but not all of them. I
>do know of the best practices of not using maxLength based on a draft
>rfc doc, but I am personally not super concerned for our relatively
>small use-case to the issues brought up in that doc.
>
> Where I have come into trouble is a source (APNIC helpdesk) indicating
>that if we have any ROAs that exist for prefixes we are not directly
>advertising - it may lend some validators to mark all our routes as
>invalid?
>
>i.e. say we had /22 ROA, 2x /23 ROAs and 4x /24 ROAs - are currently
>advertising the /22 and 2x /24's, so 2x /23's and 2x /24 ROAs are
>'unused' in that we are not advertising those specific resources -
>would that cause issues with strict validators out in the wild?
>
> My understanding reading through the RFC's is this should not be the
>case. If any ROA that matches the prefix for the origin AS exists it
>should be valid, regardless of other ROAs signed by the same resource
>holder etc.
>
> Matching ROAs to exact advertisements is great, but it seems to lend
>itself to much less flexibility in traffic engineering and failover
>scenarios - a good scenario is having dormant /24 ROAs for say a DDoS
>mitigation service to use when needed, so you dont have to wait for
>RPKI propagation before scrubbing kicks in.
>
> Based on your experience, is having all-encompassing (using
>maxLength), or unused ROAs an acceptable way to use RPKI or will we run
>into issues?
>
>All help appreciated :)
>
>Thanks,
>Joe
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ausnog.net/pipermail/ausnog/attachments/20240523/5bf0c1b5/attachment.htm>
More information about the AusNOG
mailing list