Internet2 Network Security SIG

[Andrew Gallo <>]

So, it's interesting you ask....

The script started out more as an exercise to find out how many prefixes 
can fit in one ROA.  I've successfully submitted a request of 4k 
prefixes. Somewhere between 4k and 65k, the RPKI portal in the OT&E 
barfed, timed out and then took a break before I could submit a new 
request (the original one failed).  I think I was trying to cover all 
the /64s in a /48.

You raise a good point about the size of ROAs.  You're being generous at 
the /48 level.  What would happen if you need to cover /64s?

The idea of the Max length field is still valid, but what we need is not 
*all* more specifics, just all more specifics of a given (and exact) 
mask length.

I think this is something we need to be asking the DDoS vendors.  In a 
full RPKI deployment, where operators are making policy decisions based 
on ROA validation, how should I cover my prefixes?

ROA generation and distribution is *not* real time.  At best it's on the 
order of hours, if not potentially days before it reaches a validating 
cache and then router.

I'll ask about maximum number of prefixes on the ARIN technical list.  They 
might be able to answer what the portal can handle.  But for operational best 
practices on how to handle this situation, I'm not sure anyone has an answer.



On 8/17/2018 4:13 PM, Brad Fleming wrote:
> Thanks very much for the script and examples.
>
> So is prevailing notion to make a ROA including the 65K /48s within a typical 
> /32 assignment? I suppose I’m OK with the approach, just seems like that ROA 
> is gonna crazy huge.
> --
> Brad Fleming
> Assistant Director for Technology
> Kansas Research and Education Network
>
> > On Aug 15, 2018, at 12:55 PM, Andrew Gallo 
> > <>
> >  wrote:
> >
> > Greetings, Security WG:
> >
> > Seth Garrett and I have been trading some emails about creating a ROA request 
> > with a lot of prefixes.  I've written a script that can make this easier.
> > https://github.com/CAAREN-engineering/generateSignedROAreq
> >
> > Here's the scenario and use-case:
> >
> > If you have a large summary prefix, let's say an IPv4 /16, and you would like 
> > to cover this prefix AND all the /24s within it, you *could* use the Max 
> > Length feature to create a ROA request for 172.16.0.0/16-24. HOWEVER, use of 
> > Max Length field is no longer recommended (can lead to larger attack surface).
> >
> > You might want ROAs covering all the constituent /24s so that they can be 
> > originated by a DDoS scrubbing service.
> >
> > At this point, following best practices, you're left with entering 256 
> > prefixes by hand in the Hosted RPKI portal.  There is another way!
> >
> > You can pasted into the portal pre-formatted, pre-signed text.
> >
> > ARIN's instructions are here:
> > https://www.arin.net/resources/rpki/roarequest.html
> >
> > I wrote a script to help make this process easier.  What you'll need:
> > Python 3.3+
> > a file containing a list of prefixes you want included in the ROA (you can 
> > mix v4 and v6)
> > Your private key
> >
> > The script will ask you some basic information needed to create the ROA 
> > request data:
> > Origin ASN
> > ROA name
> > Validity Start Date
> > Validity End Date
> >
> >
> > Let me know if you have any questions.
> >
> >
> >
> > --
> > ________________________________
> > Andrew Gallo
> > The George Washington University

--
________________________________
Andrew Gallo
The George Washington University

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature