[RPKI] IETF draft - The Use of Maxlength in the RPKI
Douglas Fischer
fischerdouglas at gmail.com
Tue Feb 23 11:14:11 UTC 2021
I don't know if this is the best forum to discuss this ...
If not, I apologize.
So far I was not aware of this draft, which already has 6 versions, and is
heading towards the final version.
https://tools.ietf.org/html/draft-ietf-sidrops-rpkimaxlen-06
As far as I could understand, the main reason for proposing this draft is
to enable a safe and fast way to make the security of the RPKI origin
validation also include the cases of RTBH ads that are generally of unique
IPs (/ 32 or / 128 ).
Honestly, so far I am undecided as to whether this is the best methodology
for such a solution.
Until now I was adopting (especially for route-servers) the methodology of
further analyzing the possible status of RPKI.
- Valid -> complements do not fit
- Unknown -> complements do not fit
- Invalid -> by previous ROA Date
- Invalid -> by Later ROA Date
- Invalid -> by ASN of Origin
- Invalid -> for less specific mask
- Invalid -> by more specific mask
Thus, in the route filtering tests received against Blackhole I was using
the following logic:
If (is into AS-SET My-Customer) and \
(has Black-Hole-Community) and \
((is IPv4 and is /32) or (is IPv6 and is /128)) and \
((is RPKI Valid) or (is RPKI unknow) or (is RPKI invalid by mas more
specific)) then \
accept as Blackhole...
P.S.: This is a very summarized way to express the logic... I had to do
some gymnastics to implement it... Converting RPKI JSONs belonging to each
AS-SET to Prefix-lists.
So I would like to hear from other colleagues about this Draft, and it will
change the way every ASN should filter RPKI, specially RTBH.
--
Douglas Fernando Fischer
Engº de Controle e Automação
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nlnetlabs.nl/pipermail/rpki/attachments/20210223/4fe914d8/attachment.htm>
More information about the RPKI
mailing list