[RPKI] Is ROA to VRP 1-to-1 Mapping?
jac.tech0 at gmail.com
Thu Oct 7 03:19:51 UTC 2021
Thanks, Alex. That explains it.
On Fri, Oct 1, 2021 at 7:54 PM Alex Band <alex at nlnetlabs.nl> wrote:
> Hi Jacquie,
> A ROA object can contain only one ASN but can have multiple prefixes, so 1
> ROA with 5 prefixes will result in 5 VRPs.
> The reason why you differences across RIRs is because of their
> implementations. In case of the RIPE NCC, you don’t actually create ROAs in
> a direct one-to-one mapping but you authorise announcements seen in BGP.
> Based on these authorisations, the system will generate ROA objects in the
> most efficient way possible with the least amount of objects. This is why
> you see a large difference between the ROA and VRP count.
> With other implementations users are guided more towards creating a single
> ROA per prefix, so there the ROA/VRP counts tend to match.
> > On 1 Oct 2021, at 09:48, Jacquie Zhang via RPKI <rpki at lists.nlnetlabs.nl>
> > Hello,
> > My company is working on implementing RPKI with Routinator so I have
> some questions I'd like to ask. I'm breaking the questions into multiple
> > My first question is, is ROA to VRP 1-to-1 mapping, ie. there is only
> one VRP resulted from each ROA?
> > I went through my ASN, AS4804, and compared the ROAs listed in the
> following public places to the ROAs we signed in APNIC and the VRPs in my
> Cisco router. They were exactly the same, 364.
> > 1. https://rpki.cloudflare.com/?view=explorer&asn=4804 showed 364
> > 2. http://nong.rand.apnic.net:8080/roas showed 364
> > 3. My lab Cisco router which is connected to a Routinator. It showed 364.
> > 4. MYAPNIC portal, it showed 364.
> > This lead me to think that the mapping is 1-to-1. Each ROA after
> processing by a validator software only generates one VRP.
> > But from the following URL, it clearly shows that it is a 1-to-many
> > Take RIPE as an example, ROA count was 25,704. VRP count was 138,630,
> which was 5.39 times of the ROA count. All other RIRs have VRP counts must
> greater than the ROA counts.
> > https://rpki-validator.ripe.net/ui/metrics
> > <image.png>
> > Reading the Routinator document at
> it says "If the ROA passes validation, Routinator will produce one or more
> plain text validated ROA payloads (VRPs) for each ROA, depending on how
> many IP prefixes are contained within it."
> > Can someone please help explain which one is correct, 1-to-1 or
> 1-to-many? Maybe different scenarios produce differently? Which scenario
> will produce multiple VRPs from a single ROA?
> > I'm not talking about VRP to prefix mapping. I understand in the case
> max len is greater than the prefix len in a VRP, multiple IP prefixes will
> be covered by this VRP.
> > Thanks,
> > Jacquie from Optus
> > --
> > RPKI mailing list
> > RPKI at lists.nlnetlabs.nl
> > https://lists.nlnetlabs.nl/mailman/listinfo/rpki
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the RPKI