Re: [sidr] ROA management recommendations for users
Randy Bush <randy@psg.com> Fri, 16 September 2011 04:39 UTC
Return-Path: <randy@psg.com>
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 562F511E809A for <sidr@ietfa.amsl.com>; Thu, 15 Sep 2011 21:39:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.518
X-Spam-Level:
X-Spam-Status: No, score=-2.518 tagged_above=-999 required=5 tests=[AWL=0.081, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Idx8enMmiSe2 for <sidr@ietfa.amsl.com>; Thu, 15 Sep 2011 21:39:43 -0700 (PDT)
Received: from ran.psg.com (ran.psg.com [IPv6:2001:418:1::36]) by ietfa.amsl.com (Postfix) with ESMTP id D2FFE11E8086 for <sidr@ietf.org>; Thu, 15 Sep 2011 21:39:43 -0700 (PDT)
Received: from localhost ([127.0.0.1] helo=rair.psg.com.psg.com) by ran.psg.com with esmtp (Exim 4.76 (FreeBSD)) (envelope-from <randy@psg.com>) id 1R4QFP-000MQi-KV; Fri, 16 Sep 2011 04:41:55 +0000
Date: Fri, 16 Sep 2011 06:41:53 +0200
Message-ID: <m2obylp08e.wl%randy@psg.com>
From: Randy Bush <randy@psg.com>
To: Carlos Martinez-Cagnazzo <carlosm3011@gmail.com>
In-Reply-To: <CA+z-_EViJv72KMbZNhAodftYBhJWdWXLBFZvD8uGB+Avh-Ae1A@mail.gmail.com>
References: <CA+z-_EViJv72KMbZNhAodftYBhJWdWXLBFZvD8uGB+Avh-Ae1A@mail.gmail.com>
User-Agent: Wanderlust/2.15.9 (Almost Unreal) Emacs/22.3 Mule/5.0 (SAKAKI)
MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka")
Content-Type: text/plain; charset="US-ASCII"
Cc: sidr@ietf.org
Subject: Re: [sidr] ROA management recommendations for users
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Secure Interdomain Routing <sidr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidr>, <mailto:sidr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sidr>
List-Post: <mailto:sidr@ietf.org>
List-Help: <mailto:sidr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidr>, <mailto:sidr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 16 Sep 2011 04:39:44 -0000
> I am working on a presentation giving some recommendations for RPKI > early adopters. I want to provide some guidelines on how they should > go about creating their ROAs, and I would love to receive some input > from this list. > > Broadly speaking, and looking at what people have created in the > repositories so far, there seem to be two different views on the > matter: > > - ROAs that mirror BGP announcements and/or block de-aggregation within networks > For example, an organization with as 100 holding 10.1/16 and having > sub-allocated 10.1.128/18 to as 200 creates something like this: > > ROA #1: 10.1.0/17-18, 10.1.192/18-18 origin-as 100 > ROA #2: 10.1.128/18-18 origin-as 200 > > - ROAs that protect all the way to /32 (in IPv4) > > Using the same example as above, they would have: > ROA #1: 10.1/16-32 origin-as 100 > ROA #2: 10.1.128/18-32 origin-as 200 from draft-ietf-sidr-origin-ops-10.txt To aid translation of ROAs into efficient search algorithms in routers, ROAs SHOULD be as precise as possible, i.e. match prefixes as announced in BGP. E.g. software and operators SHOULD avoid use of excessive max length values in ROAs unless operationally necessary. One advantage of minimal ROA length is that the forged origin attack does not work for sub-prefixes that are not covered by overly long max length. E.g. if, instead of 10.0.0.0/16-24, one issues 10.0.0.0/16 and 10.0.42.0/24, a forged origin attack can not succeed against 10.0.66.0/24. They must attack the whole /16, which is more likely to be noticed. Therefore, ROA generation software MUST use the prefix length as the max length if the user does not specify a max length. Operators SHOULD be conservative in use of max length in ROAs. E.g., if a prefix will have only a few sub-prefixes announced, multiple ROAs for the specific announcements SHOULD be used as opposed to one ROA with a long max length. randy
- [sidr] ROA management recommendations for users Carlos Martinez-Cagnazzo
- Re: [sidr] ROA management recommendations for use… Sriram, Kotikalapudi
- Re: [sidr] ROA management recommendations for use… Byron Ellacott
- Re: [sidr] ROA management recommendations for use… Randy Bush