Thank you again to all for the advice :)
------ Original Message ------
From: "Joseph Goldman" <jos...@goldman.id.au>
To: "ausnog@lists.ausnog.net" <ausnog@lists.ausnog.net>
Sent: 23/05/2024 4:50:44 PM
Subject: Re: [AusNOG] Experiences with RPKI
Thank you to everyone who reached out on and off list!
I have curbed the fears of what APNIC Helpdesk told me and am confident
to continue with my original assumptions :)
------ Original Message ------
From: "Joseph Goldman" <jos...@goldman.id.au>
To: "ausnog@lists.ausnog.net" <ausnog@lists.ausnog.net>
Sent: 23/05/2024 3:46:53 PM
Subject: [AusNOG] Experiences with RPKI
G'day list,
In the process of rolling out RPKI - and while I thought I had a good
grasp on everything, there is one niggling piece of information that
I've come against and can't verify. Was hoping people can share their
experiences.
We are only doing our ROA's to begin with and not implementing
validation until later, the initial thought was to create an ROA for
all our 'supernets' and use maxLength to 24 to help cover any prefix
we may want to advertise. We are a much simpler setup, single AS only
and we do advertise many of our ranges down to /24 but not all of
them. I do know of the best practices of not using maxLength based on
a draft rfc doc, but I am personally not super concerned for our
relatively small use-case to the issues brought up in that doc.
Where I have come into trouble is a source (APNIC helpdesk)
indicating that if we have any ROAs that exist for prefixes we are not
directly advertising - it may lend some validators to mark all our
routes as invalid?
i.e. say we had /22 ROA, 2x /23 ROAs and 4x /24 ROAs - are currently
advertising the /22 and 2x /24's, so 2x /23's and 2x /24 ROAs are
'unused' in that we are not advertising those specific resources -
would that cause issues with strict validators out in the wild?
My understanding reading through the RFC's is this should not be the
case. If any ROA that matches the prefix for the origin AS exists it
should be valid, regardless of other ROAs signed by the same resource
holder etc.
Matching ROAs to exact advertisements is great, but it seems to lend
itself to much less flexibility in traffic engineering and failover
scenarios - a good scenario is having dormant /24 ROAs for say a DDoS
mitigation service to use when needed, so you dont have to wait for
RPKI propagation before scrubbing kicks in.
Based on your experience, is having all-encompassing (using
maxLength), or unused ROAs an acceptable way to use RPKI or will we
run into issues?
All help appreciated :)
Thanks,
Joe
_______________________________________________
AusNOG mailing list
AusNOG@lists.ausnog.net
https://lists.ausnog.net/mailman/listinfo/ausnog