[arin-tech-discuss] Maximum number of prefixes in a manually signed ROA
jayb at braeburn.org
Fri Aug 24 13:45:39 EDT 2018
It's good to know details of ARIN's HSM, so thanks for providing that
information, Mark. But with respect to what motivated the original
"... the max length field [...] is now considered harmful"
That refers to this internet-draft:
The issue related to 3rd-party DDoS scrubbing services that Andrew
mentioned is discussed in the draft. It's also worth noting that
pre-publishing many ROAs for not-normally-announced prefixes in the
way Andrew was asking about creates the same exposure as would be
caused by [mis]using max length.
On 23-Aug-2018, Andrew Gallo writes:
> This is helpful.
> Thank you.
> On 8/22/2018 9:28 PM, Mark Kosters wrote:
> > Hi Andrew
> > Here are some general numbers. It is quite complicated given it has
> > multiple layers of complexity with our programmable HSM (size of the
> > digits at each octet/nibble, v4/v6 addresses, inclusion of max length, cms
> > wrapping, etc) that factor in to the size of a maximum signing request
> > that the HSM will allow. We ran some empirical tests like you to come up
> > with some numbers. Here they are and note that are not dependent on the
> > size of the digits:
> > ROA request with 2K v4 prefixes without max length per prefix (just barely
> > made the cut).
> > ROA request with 1K v6 prefixes with max length per prefix (had some room
> > to spare).
> > Thanks,
> > Mark
> > On 8/20/18, 5:36 PM, "Mark Kosters" <markk at arin.net> wrote:
> >> Hi Andrew
> >> There is a limit and it based on the interface with our HSM. We are
> >> trying to figure out #'s and will have an answer for you soon.
> >> Thanks,
> >> Mark
> >> On 8/17/18, 4:49 PM, "arin-tech-discuss on behalf of Andrew Gallo"
> >> <arin-tech-discuss-bounces at arin.net on behalf of akg1330 at gmail.com> wrote:
> >> Greetings:
> >> A discussion has come up in the R&E community about the maximum
> >> number
> >> of prefixes one can include in a ROA request in the hosted
> >> environment.
> >> Using the feature of pasting in a manually signed ROA, I've been able
> >> to
> >> request about 4k prefixes in a single ROA. Seeing that work, I got
> >> greedy and request 65k. That didn't work. (this was all done in the
> >> OT&E)
> >> Is there a limit to the number of prefixes that can be included in a
> >> ROA
> >> request? I can't find anything in an RFC that specifies a max
> >> number;
> >> if that's the case, is there a practical number?
> >> Here's the background of the query-
> >> Let's say you have a large summary prefix, say a /16. You've
> >> subscribed
> >> to a DDoS scrubbing service that can, on demand, originate any
> >> arbitrary
> >> /24 of your space under a different ASN. You would need to create a
> >> ROA
> >> that covers the /24s for the DDoS mitigation ASN. In this case,
> >> that's
> >> 256 prefixes, so that's manageable. How about individual /64s out of
> >> a
> >> /44, or much worse, a /32.
> >> I imagine this was exactly the concept behind the max length field
> >> that
> >> is now considered harmful.
> >> It's an interesting discussion for the operational community, but the
> >> immediate question is, what is the capacity of ARIN's hosted service?
> >> Thank you.
> >> _______________________________________________
> >> arin-tech-discuss mailing list
> >> arin-tech-discuss at arin.net
> >> https://lists.arin.net/mailman/listinfo/arin-tech-discuss
> arin-tech-discuss mailing list
> arin-tech-discuss at arin.net
More information about the arin-tech-discuss