[arin-tech-discuss] Maximum number of prefixes in a manually signed ROA

Andrew Gallo akg1330 at gmail.com
Thu Aug 23 08:11:08 EDT 2018 

This is helpful.

Thank you.



On 8/22/2018 9:28 PM, Mark Kosters wrote:
> Hi Andrew
> 
> Here are some general numbers. It is quite complicated given it has
> multiple layers of complexity with our programmable HSM (size of the
> digits at each octet/nibble, v4/v6 addresses, inclusion of max length, cms
> wrapping, etc) that factor in to the size of a maximum signing request
> that the HSM will allow. We ran some empirical tests like you to come up
> with some numbers.  Here they are and note that are not dependent on the
> size of the digits:
> 
> ROA request with 2K v4 prefixes without max length per prefix (just barely
> made the cut).
> ROA request with 1K v6 prefixes with max length per prefix (had some room
> to spare).
> 
> Thanks,
> Mark
> 
> 
> On 8/20/18, 5:36 PM, "Mark Kosters" <markk at arin.net> wrote:
> 
>> Hi Andrew
>>
>> There is a limit and it based on the interface with our HSM. We are
>> trying to figure out #'s and will have an answer for you soon.
>>
>> Thanks,
>> Mark
>>
>> On 8/17/18, 4:49 PM, "arin-tech-discuss on behalf of Andrew Gallo"
>> <arin-tech-discuss-bounces at arin.net on behalf of akg1330 at gmail.com> wrote:
>>
>>     Greetings:
>>     
>>     A discussion has come up in the R&E community about the maximum
>> number
>>     of prefixes one can include in a ROA request in the hosted
>> environment.
>>     Using the feature of pasting in a manually signed ROA, I've been able
>> to
>>     request about 4k prefixes in a single ROA.  Seeing that work, I got
>>     greedy and request 65k.  That didn't work.  (this was all done in the
>> OT&E)
>>     
>>     Is there a limit to the number of prefixes that can be included in a
>> ROA
>>     request?  I can't find anything in an RFC that specifies a max
>> number;
>>     if that's the case, is there a practical number?
>>     
>>     
>>     Here's the background of the query-
>>     
>>     Let's say you have a large summary prefix, say a /16.  You've
>> subscribed
>>     to a DDoS scrubbing service that can, on demand, originate any
>> arbitrary
>>     /24 of your space under a different ASN.  You would need to create a
>> ROA
>>     that covers the /24s for the DDoS mitigation ASN.  In this case,
>> that's
>>     256 prefixes, so that's manageable.  How about individual /64s out of
>> a
>>     /44, or much worse, a /32.
>>     
>>     I imagine this was exactly the concept behind the max length field
>> that
>>     is now considered harmful.
>>     
>>     It's an interesting discussion for the operational community, but the
>>     immediate question is, what is the capacity of ARIN's hosted service?
>>     
>>     
>>     Thank you.
>>     _______________________________________________
>>     arin-tech-discuss mailing list
>>     arin-tech-discuss at arin.net
>>     https://lists.arin.net/mailman/listinfo/arin-tech-discuss
>>     
>>
> 
>

More information about the arin-tech-discuss mailing list