netsec-sig - [Security-WG] RPKI follow up from TechEx
Subject: Internet2 Network Security SIG
List archive
- From: Andrew Gallo <>
- To:
- Subject: [Security-WG] RPKI follow up from TechEx
- Date: Wed, 1 Nov 2017 10:12:00 -0400
- Ironport-phdr: 9a23:3gpkMRNt6Mx+SEETH5El6mtUPXoX/o7sNwtQ0KIMzox0Lfr4rarrMEGX3/hxlliBBdydsKMUzbKO+4nbGkU4qa6bt34DdJEeHzQksu4x2zIaPcieFEfgJ+TrZSFpVO5LVVti4m3peRMNQJW2aFLduGC94iAPERvjKwV1Ov71GonPhMiryuy+4ZPebgFLiTanfb9+MAi9oBnMuMURnYZsMLs6xAHTontPdeRWxGdoKkyWkh3h+Mq+/4Nt/jpJtf45+MFOTav1f6IjTbxFFzsmKHw65NfqtRbYUwSC4GYXX3gMnRpJBwjF6wz6Xov0vyDnuOdxxDWWMMvrRr0yRD+s7bpkSAXwhSkZNzA37WLZhMJ+g61UvB2svBN/z5LObYyJKPZzcKHQcNUHTmRBRMZRUClBD5ugYosJEuUBJ/hXrofgrFUPtxS+AQ2sBOTywTJPnHD20rc10+AlEQHBxwEgENwPsGnOoNrrKagSTPm4wa/VxjvNaPNW3C3y6InOch05oPGDQ65wccTLxUkoDQPFgVOdopHmMTONzukBrmmW4/d6We6xi2MqpRt9riWuy8otkIXFm5wZxkjZ+Slnw4s5P8C0RU90bNK+DZdduTuWO5VwT8g/WW9nojw6xacDuZOjfCgF1pAnxxnHZvyCaYeI4xbjVP6LIThlmnJqYq+whxOz8ES+0+H8Tcy00EpSriZfjNbMrWoB1xPd68iaUPdy4Fqu2SuX2wDS7OFLP1w0mLLGJ5Mg37I8jIQfvETNEyPshUn7ja6bel859uS28+jnZ6/ppp6YN496kAH+NaEul9SlDuQ3KAcOW2yb+eOn2b3s80z5Xa9GgeMrnanEqJzaP9gUpralAw9J1YYu8w2/ACm639QFh3kHLU5FeRKeg4nnNFHDO/T4Dfakg1Swizdn2erKPrznApXRMHfDirHhcqhh60JC0gY8081Q548HQo0Gden+UVLrtcDJSwA2Gw2y3+v9DthhjMUTVX/cLLWeNfb7t1OS6/1nDOCIYIhd7D/yIvwh4NbhkmJ/lFMAK/r6laALYWy1S6w1a36SZmDh148M
There were a couple of questions either in our WG meeting, in the RPKI session, or from other conversations that I can provide at least some updates on.
Memory footprint of RPKI:
On a Juniper router, I have one session each to two RIPE Validators. The memory usage is about 14MB for just under 90,000 records. Specifically:
show validation statistics
Total RV records: 89795
Total Replication RV records: 89795
Prefix entries: 42157
Origin-AS entries: 44898
Memory utilization: 14401823 bytes
Policy origin-validation requests: 1206555751
Valid: 39673371
Invalid: 8373274
Unknown: 1158509106
BGP import policy reevaluation notifications: 535201
inet.0, 499503
inet6.0, 35698
I've asked Juniper for more details. I have not heard back.
rsync vs rrdp (RPKI Repository Delta Protocol):
Currently, ROAs are collected primarily through rsync, which may not be the best method. There is an RFC (https://tools.ietf.org/html/rfc8182) describing using HTTP as a distribution method.
The RIPE validator we have deployed uses rsync by default, but that can be changed via this line in the config file:
prefer.rrdp = true
After making that change, and looking at the traffic, very few TALs support rrdp. Some statistics from a full update of all the TALs:
63 TCP connections
5 used port 443, 58 used 873 (rsync)
23 used IPv4, 40 used IPv6
of the sites using 443, all were IPv4
Thank you.
--
________________________________
Andrew Gallo
The George Washington University
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
- [Security-WG] RPKI follow up from TechEx, Andrew Gallo, 11/01/2017
- <Possible follow-up(s)>
- Re: [Security-WG] RPKI follow up from TechEx, John Kristoff, 11/06/2017
- Re: [Security-WG] RPKI follow up from TechEx, Andrew Gallo, 11/06/2017
Archive powered by MHonArc 2.6.19.