Skip to Content.
Sympa Menu

netsec-sig - Re: [Security-WG] Generating an RPKI ROA request with lots of prefixes

Subject: Internet2 Network Security SIG

List archive

Re: [Security-WG] Generating an RPKI ROA request with lots of prefixes


Chronological Thread 
  • From: Michael H Lambert <>
  • To:
  • Subject: Re: [Security-WG] Generating an RPKI ROA request with lots of prefixes
  • Date: Fri, 17 Aug 2018 16:20:41 -0400
  • Dkim-filter: OpenDKIM Filter v2.11.0 mailer1.psc.edu w7HKKgvt014154
  • Ironport-phdr: 9a23:M84pJxySorv9kjDXCy+O+j09IxM/srCxBDY+r6Qd1OITIJqq85mqBkHD//Il1AaPAd2Fraocw8Pt8InYEVQa5piAtH1QOLdtbDQizfssogo7HcSeAlf6JvO5JwYzHcBFSUM3tyrjaRsdF8nxfUDdrWOv5jAOBBr/KRB1JuPoEYLOksi7ze+/94HSbglSmDaxfa55IQmrownWqsQYm5ZpJLwryhvOrHtIeuBWyn1tKFmOgRvy5dq+8YB6/ShItP0v68BPUaPhf6QlVrNYFygpM3o05MLwqxbOSxaE62YGXWUXlhpIBBXF7A3/U5zsvCb2qvZx1S+HNsDwULs6Wymt771zRRD0hygJKj43/2PZhMJ/j6xbrgyvqRtkzo7IeYGVMeZyfqPBcd4YQ2dKQ8ZfVzZGAoO5d4YBCOsBMvpYr4bnuVQOqQa1CwuxD+3p0DBIg2T50rMg0+Q9DArL2wggEMgLsHvPstr1LrsSXPutzKnT0TrPde1Z1irg6IXRdB0qvP+CXbV1ccXLyEkvERvIgU+KqYzkOTOZzOINvHaH7+Z4WuKvinInqwFsoje03Msjlo7JhocTx1vZ9it52J44KcCmREN4e9KoDZhduz+AO4Z2Qc4uWXxktDomxrEeuJO2fjIGxIkkyhPecfCLboyF7gj+WOuVLzp1gm9udqiliBao60egz/XxVsmq31ZOqSpIitzMuWoM1xzX9MeHUOZx8l252TaUyw/f8P9LLl0plabDKp4hxKA/loYLvEjeACP7m1/6gLKVe0k64OSl6+fqbq/7qpOAK4N4kgT+Pb4vmsy7D+Q4KA8OX22D9OS4zrLj+Fb2T6tQjv0qiaTZqIvaKtgBqqGnHgBVz54v6wyjADe+zNQYgX4HIUpeeB2Zk4fpJkvOIPHkDfa/mlitnjhryuvCPr3gGZXNMmPDnKn7cbZ87U5c1BQ8zcpZ551KFrENPuj/VVHsu9zFXVcFNFmvzu36EtRhx8YBVkqOBLOUKqXfrQXO6+4ycMeWY4pAnTf2K/Eo47bOxVswnFUQZ7XhiZ8ebXq1BOhOO16SJ3fgn4FSQi8xogMiQbmy2xW5WjlJaiPqUg==
Or is it the 2**32 /64s?

Michael

> On 17 Aug 2018, at 16:13, Brad Fleming
> <>
> wrote:
>
> Thanks very much for the script and examples.
>
> So is prevailing notion to make a ROA including the 65K /48s within a
> typical /32 assignment? I suppose I’m OK with the approach, just seems like
> that ROA is gonna crazy huge.
> --
> Brad Fleming
> Assistant Director for Technology
> Kansas Research and Education Network
>
>> On Aug 15, 2018, at 12:55 PM, Andrew Gallo
>> <>
>> wrote:
>>
>> Greetings, Security WG:
>>
>> Seth Garrett and I have been trading some emails about creating a ROA
>> request with a lot of prefixes. I've written a script that can make this
>> easier.
>> https://github.com/CAAREN-engineering/generateSignedROAreq
>>
>> Here's the scenario and use-case:
>>
>> If you have a large summary prefix, let's say an IPv4 /16, and you would
>> like to cover this prefix AND all the /24s within it, you *could* use the
>> Max Length feature to create a ROA request for 172.16.0.0/16-24. HOWEVER,
>> use of Max Length field is no longer recommended (can lead to larger
>> attack surface).
>>
>> You might want ROAs covering all the constituent /24s so that they can be
>> originated by a DDoS scrubbing service.
>>
>> At this point, following best practices, you're left with entering 256
>> prefixes by hand in the Hosted RPKI portal. There is another way!
>>
>> You can pasted into the portal pre-formatted, pre-signed text.
>>
>> ARIN's instructions are here:
>> https://www.arin.net/resources/rpki/roarequest.html
>>
>> I wrote a script to help make this process easier. What you'll need:
>> Python 3.3+
>> a file containing a list of prefixes you want included in the ROA (you can
>> mix v4 and v6)
>> Your private key
>>
>> The script will ask you some basic information needed to create the ROA
>> request data:
>> Origin ASN
>> ROA name
>> Validity Start Date
>> Validity End Date
>>
>>
>> Let me know if you have any questions.
>>
>>
>>
>> --
>> ________________________________
>> Andrew Gallo
>> The George Washington University
>>
>


Archive powered by MHonArc 2.6.19.

Top of Page