[AusNOG] Experiences with RPKI

Joseph Goldman joseph at goldman.id.au
Sat May 25 11:55:36 AEST 2024 

Thank you again to all for the advice :)


------ Original Message ------
From: "Joseph Goldman" <joseph at goldman.id.au>
To: "ausnog at lists.ausnog.net" <ausnog at lists.ausnog.net>
Sent: 23/05/2024 4:50:44 PM
Subject: Re: [AusNOG] Experiences with RPKI

>Thank you to everyone who reached out on and off list!
>
>I have curbed the fears of what APNIC Helpdesk told me and am confident 
>to continue with my original assumptions :)
>
>
>------ Original Message ------
>From: "Joseph Goldman" <joseph at goldman.id.au>
>To: "ausnog at lists.ausnog.net" <ausnog at lists.ausnog.net>
>Sent: 23/05/2024 3:46:53 PM
>Subject: [AusNOG] Experiences with RPKI
>
>>G'day list,
>>
>>  In the process of rolling out RPKI - and while I thought I had a good 
>>grasp on everything, there is one niggling piece of information that 
>>I've come against and can't verify. Was hoping people can share their 
>>experiences.
>>
>>  We are only doing our ROA's to begin with and not implementing 
>>validation until later, the initial thought was to create an ROA for 
>>all our 'supernets' and use maxLength to 24 to help cover any prefix 
>>we may want to advertise. We are a much simpler setup, single AS only 
>>and we do advertise many of our ranges down to /24 but not all of 
>>them. I do know of the best practices of not using maxLength based on 
>>a draft rfc doc, but I am personally not super concerned for our 
>>relatively small use-case to the issues brought up in that doc.
>>
>>  Where I have come into trouble is a source (APNIC helpdesk) 
>>indicating that if we have any ROAs that exist for prefixes we are not 
>>directly advertising - it may lend some validators to mark all our 
>>routes as invalid?
>>
>>i.e. say we had /22 ROA, 2x /23 ROAs and 4x /24 ROAs - are currently 
>>advertising the /22 and 2x /24's, so 2x /23's and 2x /24 ROAs are 
>>'unused' in that we are not advertising those specific resources - 
>>would that cause issues with strict validators out in the wild?
>>
>>  My understanding reading through the RFC's is this should not be the 
>>case. If any ROA that matches the prefix for the origin AS exists it 
>>should be valid, regardless of other ROAs signed by the same resource 
>>holder etc.
>>
>>  Matching ROAs to exact advertisements is great, but it seems to lend 
>>itself to much less flexibility in traffic engineering and failover 
>>scenarios - a good scenario is having dormant /24 ROAs for say a DDoS 
>>mitigation service to use when needed, so you dont have to wait for 
>>RPKI propagation before scrubbing kicks in.
>>
>>  Based on your experience, is having all-encompassing (using 
>>maxLength), or unused ROAs an acceptable way to use RPKI or will we 
>>run into issues?
>>
>>All help appreciated :)
>>
>>Thanks,
>>Joe
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ausnog.net/pipermail/ausnog/attachments/20240525/432e7b1b/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0lqmu0sl.png
Type: image/png
Size: 3437 bytes
Desc: not available
URL: <https://lists.ausnog.net/pipermail/ausnog/attachments/20240525/432e7b1b/attachment-0001.png>

More information about the AusNOG mailing list