[RPKI] Is ROA to VRP 1-to-1 Mapping?
Alex Band
alex at nlnetlabs.nl
Fri Oct 1 09:54:26 UTC 2021
Hi Jacquie,
A ROA object can contain only one ASN but can have multiple prefixes, so 1 ROA with 5 prefixes will result in 5 VRPs.
The reason why you differences across RIRs is because of their implementations. In case of the RIPE NCC, you don’t actually create ROAs in a direct one-to-one mapping but you authorise announcements seen in BGP. Based on these authorisations, the system will generate ROA objects in the most efficient way possible with the least amount of objects. This is why you see a large difference between the ROA and VRP count.
With other implementations users are guided more towards creating a single ROA per prefix, so there the ROA/VRP counts tend to match.
Cheers,
Alex
> On 1 Oct 2021, at 09:48, Jacquie Zhang via RPKI <rpki at lists.nlnetlabs.nl> wrote:
>
> Hello,
>
> My company is working on implementing RPKI with Routinator so I have some questions I'd like to ask. I'm breaking the questions into multiple emails.
>
> My first question is, is ROA to VRP 1-to-1 mapping, ie. there is only one VRP resulted from each ROA?
>
> I went through my ASN, AS4804, and compared the ROAs listed in the following public places to the ROAs we signed in APNIC and the VRPs in my Cisco router. They were exactly the same, 364.
>
> 1. https://rpki.cloudflare.com/?view=explorer&asn=4804 showed 364
> 2. http://nong.rand.apnic.net:8080/roas showed 364
> 3. My lab Cisco router which is connected to a Routinator. It showed 364.
> 4. MYAPNIC portal, it showed 364.
>
> This lead me to think that the mapping is 1-to-1. Each ROA after processing by a validator software only generates one VRP.
>
> But from the following URL, it clearly shows that it is a 1-to-many mapping.
>
> Take RIPE as an example, ROA count was 25,704. VRP count was 138,630, which was 5.39 times of the ROA count. All other RIRs have VRP counts must greater than the ROA counts.
>
> https://rpki-validator.ripe.net/ui/metrics
>
> <image.png>
>
> Reading the Routinator document at https://routinator.docs.nlnetlabs.nl/en/stable/data-processing.html#roas-and-vrps, it says "If the ROA passes validation, Routinator will produce one or more plain text validated ROA payloads (VRPs) for each ROA, depending on how many IP prefixes are contained within it."
>
> Can someone please help explain which one is correct, 1-to-1 or 1-to-many? Maybe different scenarios produce differently? Which scenario will produce multiple VRPs from a single ROA?
>
> I'm not talking about VRP to prefix mapping. I understand in the case max len is greater than the prefix len in a VRP, multiple IP prefixes will be covered by this VRP.
>
>
> Thanks,
> Jacquie from Optus
>
> --
> RPKI mailing list
> RPKI at lists.nlnetlabs.nl
> https://lists.nlnetlabs.nl/mailman/listinfo/rpki
More information about the RPKI
mailing list