ignore max length as an argument of roa_check

Mikhail Grishin magr at ripn.net
Tue Mar 30 15:20:23 CEST 2021 

Hi,

We use this option in production environment (2.0.7 with patches) , 
started in 2020.

Some side effects: Doubled number of tcp sessions with validator, 
doubled number of roa tables (per each BIRD instanse).

Wbr, Milkhail,
MSK-IX

Douglas Fischer пишет 30.03.2021 16:04:
> It does make sense! A LOT!
>
> It is the only way I see that is possible to use RPKI as a source of 
> information to validate RTBH with the available information existent now.
>
> P.S.: I even mentioned some about that on SIDROPS
> https://mailarchive.ietf.org/arch/msg/sidrops/vbfKT9yduwAtTNQVBoc5KCRPkmM/
>
> That is the same concept that is used on IRR, right?
> "If is BlackHole route is contained on the Route Objects on IRR, is 
> acceptable..."
>
> Em dom., 28 de mar. de 2021 às 10:42, Pier Carlo Chiodi 
> <pierky at pierky.com <mailto:pierky at pierky.com>> escreveu:
>
>     Hello,
>
>     first, thanks to the devs for 2.0.8!
>
>     I see the option 'ignore max length' was introduced, and that it's
>     possible to enable it at protocol configuration time.
>
>     ignore max length switch
>
>         Ignore received max length in ROA records and use max value
>     (32 or 128) instead. This may be useful for implementing loose
>     RPKI check for blackholes. Default: disabled.
>
>     I was wondering what other people's feelings would be about having
>     a similar option available at validation time, more specifically
>     as an argument of roa_check.
>
>     If my understanding is correct, being the current option available
>     only at protocol level, it means that all the ROAs that are
>     present inside the ROA table are used as if the maxLength
>     attribute is not set. This means that it wouldn't be possible to
>     configure a filter to perform a strict OV check (where the
>     maxLength is also taken into account) using ROAs from that table.
>
>     Having that option available at roa_check time, the same table
>     could be used to perform both strict validation and also a loose
>     validation, for example depending on the presence of the BLACKHOLE
>     BGP community:
>
>     (pseudo-code follows)
>
>     # ... regular sanity checks done here...
>
>     if BLACKHOLE {
>         if (roa_check(ignore_max_lenght=True) = ROA_INVALID) then
>         {
>             reject;
>         }
>         accept;
>     } else {
>         if (roa_check() = ROA_INVALID) then
>         {
>             reject;
>         }
>         accept;
>     }
>
>     (Assuming ignore_max_lenght has default value == False.)
>
>     Does it make sense?
>
>     Thanks
>
>     Pier Carlo Chiodi
>
>
>
> -- 
> Douglas Fernando Fischer
> Engº de Controle e Automação

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://trubka.network.cz/pipermail/bird-users/attachments/20210330/a0e33202/attachment.htm>

More information about the Bird-users mailing list