Expiration for ROA tables until when the VRP is valid?

Tue Mar 7 13:33:04 CET 2023

On Tue, Mar 07, 2023 at 01:00:40PM +0100, Job Snijders wrote:
> On Tue, Mar 07, 2023 at 12:52:16PM +0100, Ondrej Zajicek wrote:
> > If i understand it correctly, it is relevant just for static ROA
> > records?
> 
> Correct
> 
> > I assume these expiration records are based on wall-clock time instead
> > of relative time?
> 
> Correct, wall-clock time expressed as number of seconds that have
> elapsed since 00:00:00 UTC on 1 January 1970 (Unix time).
> 
> > It is a question whether we should handle expiration of such static routes
> > properly / dynamically, or just a one-time check during reconfiguration.
> > That would be order of magnitude simpler, but it is also a thing that
> > could be done by a trivial script preprocessing the included config file
> > with static ROA records.
> 
> For what its worth: OpenBGPD and StayRTR handle it 'dynamically', but
> not in absolute real time: both implementations walk a table every few
> (~3) minutes to check for newly expired entries.

To follow up with a mock configuration example, please see below.

The %lld after keyword 'expires' is calculated by OpenBSD's rpki-client
by walking the chain of authorities and keeping tabs on the 'soonest'
expiration moment. In other words, the 'expires' value is the moment a
RTR server would send an IPv4/IPv6 Prefix RTR PDU with the 'withdraw'
flag set.

(rpki-client supports generating static ROA configurations in BIRD's
format, if BIRD supports 'expires' I'll update rpki-client/output-bird.c) 

For a constantly up-to-date set of data, please download
https://console.rpki-client.org/vrps.json (as often as you want), and
transform it into BIRD's configuration format. The 'expires' key in the
JSON objects is what one would use to instruct the BGP daemon or RTR
server when to expire.

I am happy to help with this project.

Kind regards,

Job

--------

roa4 table ROAS4;
roa6 table ROAS6;

protocol static {
  roa4 { table ROAS4; };
  route 1.0.0.0/24 max 24 as 13335 expires 1678717104; # Mon Mar 13 14:18:24 UTC 2023
  route 1.0.4.0/24 max 24 as 38803 expires 1678751858; # Mon Mar 13 23:57:38 UTC 2023
  route 1.7.142.0/24 max 24 as 132215 expires 1678789300; # Tue Mar 14 10:21:40 UTC 2023
  # ...
  # left the thousands of other static entries out for brevity
}

protocol static {
  roa6 { table ROAS6; };
  route 2001:200::/32 max 32 as 2500 expires 1678724530;
  route 2001:200:136::/48 max 48 as 9367 expires 1678724530;
  route 2001:200:1ba::/48 max 48 as 24047 expires 1678724530;
  # ...
  # left the thousands of other static entries out for brevity
}