[RPKI] Is ROA to VRP 1-to-1 Mapping?

Douglas Fischer fischerdouglas at gmail.com
Fri Oct 1 12:17:59 UTC 2021


This question made me think about a possibility.

Has it already been discussed whether in the future, when we have a
cryptographically signed equivalent of IRR AS-SET, it will be possible to
generate an ROA with an AS-SET as Orign?

This would be interesting for sibling scenarios, and CDNs that have IP
blocks (usually anycast) being sourced by ASNs that host Bring-Home.
Much less maintenance and interventions on ROAs.

Em sex., 1 de out. de 2021 às 06:54, Alex Band via RPKI <
rpki at lists.nlnetlabs.nl> escreveu:

> Hi Jacquie,
>
> A ROA object can contain only one ASN but can have multiple prefixes, so 1
> ROA with 5 prefixes will result in 5 VRPs.
>
> The reason why you differences across RIRs is because of their
> implementations. In case of the RIPE NCC, you don’t actually create ROAs in
> a direct one-to-one mapping but you authorise announcements seen in BGP.
> Based on these authorisations, the system will generate ROA objects in the
> most efficient way possible with the least amount of objects. This is why
> you see a large difference between the ROA and VRP count.
>
> With other implementations users are guided more towards creating a single
> ROA per prefix, so there the ROA/VRP counts tend to match.
>
> Cheers,
>
> Alex
>
> > On 1 Oct 2021, at 09:48, Jacquie Zhang via RPKI <rpki at lists.nlnetlabs.nl>
> wrote:
> >
> > Hello,
> >
> > My company is working on implementing RPKI with Routinator so I have
> some questions I'd like to ask. I'm breaking the questions into multiple
> emails.
> >
> > My first question is, is ROA to VRP 1-to-1 mapping, ie. there is only
> one VRP resulted from each ROA?
> >
> > I went through my ASN, AS4804, and compared the ROAs listed in the
> following public places to the ROAs we signed in APNIC and the VRPs in my
> Cisco router. They were exactly the same, 364.
> >
> > 1. https://rpki.cloudflare.com/?view=explorer&asn=4804   showed 364
> > 2. http://nong.rand.apnic.net:8080/roas showed 364
> > 3. My lab Cisco router which is connected to a Routinator. It showed 364.
> > 4. MYAPNIC portal, it showed 364.
> >
> > This lead me to think that the mapping is 1-to-1. Each ROA after
> processing by a validator software only generates one VRP.
> >
> > But from the following URL, it clearly shows that it is a 1-to-many
> mapping.
> >
> > Take RIPE as an example, ROA count was 25,704. VRP count was 138,630,
> which was 5.39 times of the ROA count. All other RIRs have VRP counts must
> greater than the ROA counts.
> >
> > https://rpki-validator.ripe.net/ui/metrics
> >
> > <image.png>
> >
> > Reading the Routinator document at
> https://routinator.docs.nlnetlabs.nl/en/stable/data-processing.html#roas-and-vrps,
> it says "If the ROA passes validation, Routinator will produce one or more
> plain text validated ROA payloads (VRPs) for each ROA, depending on how
> many IP prefixes are contained within it."
> >
> > Can someone please help explain which one is correct, 1-to-1 or
> 1-to-many? Maybe different scenarios produce differently? Which scenario
> will produce multiple VRPs from a single ROA?
> >
> >  I'm not talking about VRP to prefix mapping. I understand in the case
> max len is greater than the prefix len in a VRP, multiple IP prefixes will
> be covered by this VRP.
> >
> >
> > Thanks,
> > Jacquie from Optus
> >
> > --
> > RPKI mailing list
> > RPKI at lists.nlnetlabs.nl
> > https://lists.nlnetlabs.nl/mailman/listinfo/rpki
>
> --
> RPKI mailing list
> RPKI at lists.nlnetlabs.nl
> https://lists.nlnetlabs.nl/mailman/listinfo/rpki
>


-- 
Douglas Fernando Fischer
Engº de Controle e Automação
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nlnetlabs.nl/pipermail/rpki/attachments/20211001/f11fdf24/attachment.htm>


More information about the RPKI mailing list