Thanks, Alex. That explains it. Jacquie
On Fri, Oct 1, 2021 at 7:54 PM Alex Band <a...@nlnetlabs.nl> wrote: > Hi Jacquie, > > A ROA object can contain only one ASN but can have multiple prefixes, so 1 > ROA with 5 prefixes will result in 5 VRPs. > > The reason why you differences across RIRs is because of their > implementations. In case of the RIPE NCC, you don’t actually create ROAs in > a direct one-to-one mapping but you authorise announcements seen in BGP. > Based on these authorisations, the system will generate ROA objects in the > most efficient way possible with the least amount of objects. This is why > you see a large difference between the ROA and VRP count. > > With other implementations users are guided more towards creating a single > ROA per prefix, so there the ROA/VRP counts tend to match. > > Cheers, > > Alex > > > On 1 Oct 2021, at 09:48, Jacquie Zhang via RPKI <rpki@lists.nlnetlabs.nl> > wrote: > > > > Hello, > > > > My company is working on implementing RPKI with Routinator so I have > some questions I'd like to ask. I'm breaking the questions into multiple > emails. > > > > My first question is, is ROA to VRP 1-to-1 mapping, ie. there is only > one VRP resulted from each ROA? > > > > I went through my ASN, AS4804, and compared the ROAs listed in the > following public places to the ROAs we signed in APNIC and the VRPs in my > Cisco router. They were exactly the same, 364. > > > > 1. https://rpki.cloudflare.com/?view=explorer&asn=4804 showed 364 > > 2. http://nong.rand.apnic.net:8080/roas showed 364 > > 3. My lab Cisco router which is connected to a Routinator. It showed 364. > > 4. MYAPNIC portal, it showed 364. > > > > This lead me to think that the mapping is 1-to-1. Each ROA after > processing by a validator software only generates one VRP. > > > > But from the following URL, it clearly shows that it is a 1-to-many > mapping. > > > > Take RIPE as an example, ROA count was 25,704. VRP count was 138,630, > which was 5.39 times of the ROA count. All other RIRs have VRP counts must > greater than the ROA counts. > > > > https://rpki-validator.ripe.net/ui/metrics > > > > <image.png> > > > > Reading the Routinator document at > https://routinator.docs.nlnetlabs.nl/en/stable/data-processing.html#roas-and-vrps, > it says "If the ROA passes validation, Routinator will produce one or more > plain text validated ROA payloads (VRPs) for each ROA, depending on how > many IP prefixes are contained within it." > > > > Can someone please help explain which one is correct, 1-to-1 or > 1-to-many? Maybe different scenarios produce differently? Which scenario > will produce multiple VRPs from a single ROA? > > > > I'm not talking about VRP to prefix mapping. I understand in the case > max len is greater than the prefix len in a VRP, multiple IP prefixes will > be covered by this VRP. > > > > > > Thanks, > > Jacquie from Optus > > > > -- > > RPKI mailing list > > RPKI@lists.nlnetlabs.nl > > https://lists.nlnetlabs.nl/mailman/listinfo/rpki > >
-- RPKI mailing list RPKI@lists.nlnetlabs.nl https://lists.nlnetlabs.nl/mailman/listinfo/rpki
