[arin-tech-discuss] Maximum number of prefixes in a manually signed ROA

Mark Kosters markk at arin.net
Wed Aug 22 21:28:54 EDT 2018


Hi Andrew

Here are some general numbers. It is quite complicated given it has
multiple layers of complexity with our programmable HSM (size of the
digits at each octet/nibble, v4/v6 addresses, inclusion of max length, cms
wrapping, etc) that factor in to the size of a maximum signing request
that the HSM will allow. We ran some empirical tests like you to come up
with some numbers.  Here they are and note that are not dependent on the
size of the digits:

ROA request with 2K v4 prefixes without max length per prefix (just barely
made the cut).
ROA request with 1K v6 prefixes with max length per prefix (had some room
to spare).

Thanks,
Mark


On 8/20/18, 5:36 PM, "Mark Kosters" <markk at arin.net> wrote:

>Hi Andrew
>
>There is a limit and it based on the interface with our HSM. We are
>trying to figure out #'s and will have an answer for you soon.
>
>Thanks,
>Mark
>
>On 8/17/18, 4:49 PM, "arin-tech-discuss on behalf of Andrew Gallo"
><arin-tech-discuss-bounces at arin.net on behalf of akg1330 at gmail.com> wrote:
>
>    Greetings:
>    
>    A discussion has come up in the R&E community about the maximum
>number 
>    of prefixes one can include in a ROA request in the hosted
>environment. 
>    Using the feature of pasting in a manually signed ROA, I've been able
>to 
>    request about 4k prefixes in a single ROA.  Seeing that work, I got
>    greedy and request 65k.  That didn't work.  (this was all done in the
>OT&E)
>    
>    Is there a limit to the number of prefixes that can be included in a
>ROA 
>    request?  I can't find anything in an RFC that specifies a max
>number; 
>    if that's the case, is there a practical number?
>    
>    
>    Here's the background of the query-
>    
>    Let's say you have a large summary prefix, say a /16.  You've
>subscribed 
>    to a DDoS scrubbing service that can, on demand, originate any
>arbitrary 
>    /24 of your space under a different ASN.  You would need to create a
>ROA 
>    that covers the /24s for the DDoS mitigation ASN.  In this case,
>that's 
>    256 prefixes, so that's manageable.  How about individual /64s out of
>a 
>    /44, or much worse, a /32.
>    
>    I imagine this was exactly the concept behind the max length field
>that 
>    is now considered harmful.
>    
>    It's an interesting discussion for the operational community, but the
>    immediate question is, what is the capacity of ARIN's hosted service?
>    
>    
>    Thank you.
>    _______________________________________________
>    arin-tech-discuss mailing list
>    arin-tech-discuss at arin.net
>    https://lists.arin.net/mailman/listinfo/arin-tech-discuss
>    
>




More information about the arin-tech-discuss mailing list