[arin-tech-discuss] Maximum number of prefixes in a manually signed ROA

Jay Borkenhagen jayb at braeburn.org
Fri Aug 24 13:45:39 EDT 2018


It's good to know details of ARIN's HSM, so thanks for providing that
information, Mark.  But with respect to what motivated the original
question:

  "... the max length field [...] is now considered harmful" 

That refers to this internet-draft:

 https://tools.ietf.org/html/draft-ietf-sidrops-rpkimaxlen-00 

The issue related to 3rd-party DDoS scrubbing services that Andrew
mentioned is discussed in the draft.  It's also worth noting that
pre-publishing many ROAs for not-normally-announced prefixes in the
way Andrew was asking about creates the same exposure as would be
caused by [mis]using max length.

Thanks.

					Jay B.


On 23-Aug-2018, Andrew Gallo writes:
 > This is helpful.
 > 
 > Thank you.
 > 
 > 
 > 
 > On 8/22/2018 9:28 PM, Mark Kosters wrote:
 > > Hi Andrew
 > > 
 > > Here are some general numbers. It is quite complicated given it has
 > > multiple layers of complexity with our programmable HSM (size of the
 > > digits at each octet/nibble, v4/v6 addresses, inclusion of max length, cms
 > > wrapping, etc) that factor in to the size of a maximum signing request
 > > that the HSM will allow. We ran some empirical tests like you to come up
 > > with some numbers.  Here they are and note that are not dependent on the
 > > size of the digits:
 > > 
 > > ROA request with 2K v4 prefixes without max length per prefix (just barely
 > > made the cut).
 > > ROA request with 1K v6 prefixes with max length per prefix (had some room
 > > to spare).
 > > 
 > > Thanks,
 > > Mark
 > > 
 > > 
 > > On 8/20/18, 5:36 PM, "Mark Kosters" <markk at arin.net> wrote:
 > > 
 > >> Hi Andrew
 > >>
 > >> There is a limit and it based on the interface with our HSM. We are
 > >> trying to figure out #'s and will have an answer for you soon.
 > >>
 > >> Thanks,
 > >> Mark
 > >>
 > >> On 8/17/18, 4:49 PM, "arin-tech-discuss on behalf of Andrew Gallo"
 > >> <arin-tech-discuss-bounces at arin.net on behalf of akg1330 at gmail.com> wrote:
 > >>
 > >>     Greetings:
 > >>     
 > >>     A discussion has come up in the R&E community about the maximum
 > >> number
 > >>     of prefixes one can include in a ROA request in the hosted
 > >> environment.
 > >>     Using the feature of pasting in a manually signed ROA, I've been able
 > >> to
 > >>     request about 4k prefixes in a single ROA.  Seeing that work, I got
 > >>     greedy and request 65k.  That didn't work.  (this was all done in the
 > >> OT&E)
 > >>     
 > >>     Is there a limit to the number of prefixes that can be included in a
 > >> ROA
 > >>     request?  I can't find anything in an RFC that specifies a max
 > >> number;
 > >>     if that's the case, is there a practical number?
 > >>     
 > >>     
 > >>     Here's the background of the query-
 > >>     
 > >>     Let's say you have a large summary prefix, say a /16.  You've
 > >> subscribed
 > >>     to a DDoS scrubbing service that can, on demand, originate any
 > >> arbitrary
 > >>     /24 of your space under a different ASN.  You would need to create a
 > >> ROA
 > >>     that covers the /24s for the DDoS mitigation ASN.  In this case,
 > >> that's
 > >>     256 prefixes, so that's manageable.  How about individual /64s out of
 > >> a
 > >>     /44, or much worse, a /32.
 > >>     
 > >>     I imagine this was exactly the concept behind the max length field
 > >> that
 > >>     is now considered harmful.
 > >>     
 > >>     It's an interesting discussion for the operational community, but the
 > >>     immediate question is, what is the capacity of ARIN's hosted service?
 > >>     
 > >>     
 > >>     Thank you.
 > >>     _______________________________________________
 > >>     arin-tech-discuss mailing list
 > >>     arin-tech-discuss at arin.net
 > >>     https://lists.arin.net/mailman/listinfo/arin-tech-discuss
 > >>     
 > >>
 > > 
 > > 
 > _______________________________________________
 > arin-tech-discuss mailing list
 > arin-tech-discuss at arin.net
 > https://lists.arin.net/mailman/listinfo/arin-tech-discuss



More information about the arin-tech-discuss mailing list