[NLNOG] deploying RPKI based Origin Validation
Weber, Markus
Markus.Weber at kpn.de
Fri Jul 13 07:03:47 CEST 2018
Job wrote:
> Yes, it seems that adding a separate extra ROA just for the /24 is
> better than using "MaxLength=24".
> Wall of text on what that is :-)
> https://tools.ietf.org/html/draft-ietf-sidrops-rpkimaxlen
In a world doing RV I agree on above statement.
In a world where most transit networks do not drop invalids I think
by doing so the risk of suffering heavier from even a "simple prefix
hijack" (on purpose or not) and not being able to react quickly might
be higher as your "get at least something back /24 announcement"
eventually doesn't get far if your transit does RV (and esp. not to
the networks doing RV - the networks "stating" to have a cleaner
table - what might be still true, but useless if there's a more
specific between source and destination).
Has anyone ever done measurements on the time from publishing ROAs
'till these show up on their routers and what reasonable timers might
be?
So please "push" transit networks (the larger the better) and IXes
to do the reject of invalids with all the consequences (and don't
blame them for the missing prefixes). Then not using MaxLength=24
as a default perfectly makes sense (except some of the cases the
draft mentions).
For the time being I think every network should carefully think
about what fits to them best (service, customer, connectivity,...)
'till RV is wider deployed (in larger transit networks, on IXes
as always on, ...).
Might be perfect for you to follow the draft if you host Dutch
content for EU-Dutch eyeballs, doing 95% of your traffic via RV
forced-enabled IXes or in-country transit networks doing RV. It
might come with additional challenges if there are between you
and your customers some "questionable" networks not doing RV or
the IX not doing RV for e.g. the party most of your traffic goes/
comes from. Or when your upstream is the only one doing RV.
Cheers,
Markus
--
FvD, Markus Weber, AS286
KPN EuroRings Germany B.V. Rüsselsheimerstr. 22, DE-60326 Frankfurt
Amtsgericht Frankfurt HR99781, GF Jesus Martinez & Hugo van den Akker
More information about the NLNOG
mailing list