<div dir="ltr">It does make sense! A LOT!<br><br>It is the only way I see that is possible to use RPKI as a source of information to validate RTBH with the available information existent now.<div><br></div><div>P.S.: I even mentioned some about that on SIDROPS <br><a href="https://mailarchive.ietf.org/arch/msg/sidrops/vbfKT9yduwAtTNQVBoc5KCRPkmM/">https://mailarchive.ietf.org/arch/msg/sidrops/vbfKT9yduwAtTNQVBoc5KCRPkmM/</a><br><br>That is the same concept that is used on IRR, right?<br>"If is BlackHole route is contained on the Route Objects on IRR, is acceptable..."<br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">Em dom., 28 de mar. de 2021 às 10:42, Pier Carlo Chiodi <<a href="mailto:pierky@pierky.com" target="_blank">pierky@pierky.com</a>> escreveu:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">Hello,<br><br>first, thanks to the devs for 2.0.8!<br><br>I see the option 'ignore max length' was introduced, and that it's possible to enable it at protocol configuration time.<br><br>ignore max length switch<br><br> Ignore received max length in ROA records and use max value (32 or 128) instead. This may be useful for implementing loose RPKI check for blackholes. Default: disabled.<br><br>I was wondering what other people's feelings would be about having a similar option available at validation time, more specifically as an argument of roa_check.<br><br>If my understanding is correct, being the current option available only at protocol level, it means that all the ROAs that are present inside the ROA table are used as if the maxLength attribute is not set. This means that it wouldn't be possible to configure a filter to perform a strict OV check (where the maxLength is also taken into account) using ROAs from that table.<br><br>Having that option available at roa_check time, the same table could be used to perform both strict validation and also a loose validation, for example depending on the presence of the BLACKHOLE BGP community:<br><br>(pseudo-code follows)<br><br># ... regular sanity checks done here...<br><br>if BLACKHOLE {<br> if (roa_check(ignore_max_lenght=True) = ROA_INVALID) then<br> {<br> reject;<br> }<br> accept;<br>} else {<br> if (roa_check() = ROA_INVALID) then<br> {<br> reject;<br> }<br> accept;<br>}<br><br>(Assuming ignore_max_lenght has default value == False.)<br><br>Does it make sense?<br><div><br></div><div>Thanks</div><div><br></div><div>Pier Carlo Chiodi</div></div>
</blockquote></div><br clear="all"><div><br></div>-- <br><div dir="ltr"><div dir="ltr">Douglas Fernando Fischer<br>Engº de Controle e Automação<br><div style="padding:0px;margin-left:0px;margin-top:0px;overflow:hidden;color:black;text-align:left;line-height:130%;font-family:"courier new",monospace"></div></div></div>