<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Hi,<br>
<br>
We use this option in production environment (2.0.7 with patches) ,
started in 2020.<br>
<br>
Some side effects: Doubled number of tcp sessions with validator,
doubled number of roa tables (per each BIRD instanse).<br>
<br>
Wbr, Milkhail, <br>
MSK-IX<br>
<br>
<div class="moz-cite-prefix">Douglas Fischer пишет 30.03.2021 16:04:<br>
</div>
<blockquote
cite="mid:CAKEr4RTgHprUDyV9bc_2_Yf=4puw0t+deSp3ddMVbO9swsj5+A@mail.gmail.com"
type="cite">
<div dir="ltr">It does make sense! A LOT!<br>
<br>
It is the only way I see that is possible to use RPKI as a
source of information to validate RTBH with the available
information existent now.
<div><br>
</div>
<div>P.S.: I even mentioned some about that on SIDROPS <br>
<a moz-do-not-send="true"
href="https://mailarchive.ietf.org/arch/msg/sidrops/vbfKT9yduwAtTNQVBoc5KCRPkmM/">https://mailarchive.ietf.org/arch/msg/sidrops/vbfKT9yduwAtTNQVBoc5KCRPkmM/</a><br>
<br>
That is the same concept that is used on IRR, right?<br>
"If is BlackHole route is contained on the Route Objects on
IRR, is acceptable..."<br>
</div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">Em dom., 28 de mar. de 2021 às
10:42, Pier Carlo Chiodi <<a moz-do-not-send="true"
href="mailto:pierky@pierky.com" target="_blank">pierky@pierky.com</a>>
escreveu:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div dir="ltr">Hello,<br>
<br>
first, thanks to the devs for 2.0.8!<br>
<br>
I see the option 'ignore max length' was introduced, and
that it's possible to enable it at protocol configuration
time.<br>
<br>
ignore max length switch<br>
<br>
Ignore received max length in ROA records and use max
value (32 or 128) instead. This may be useful for
implementing loose RPKI check for blackholes. Default:
disabled.<br>
<br>
I was wondering what other people's feelings would be about
having a similar option available at validation time, more
specifically as an argument of roa_check.<br>
<br>
If my understanding is correct, being the current option
available only at protocol level, it means that all the ROAs
that are present inside the ROA table are used as if the
maxLength attribute is not set. This means that it wouldn't
be possible to configure a filter to perform a strict OV
check (where the maxLength is also taken into account) using
ROAs from that table.<br>
<br>
Having that option available at roa_check time, the same
table could be used to perform both strict validation and
also a loose validation, for example depending on the
presence of the BLACKHOLE BGP community:<br>
<br>
(pseudo-code follows)<br>
<br>
# ... regular sanity checks done here...<br>
<br>
if BLACKHOLE {<br>
if (roa_check(ignore_max_lenght=True) = ROA_INVALID)
then<br>
{<br>
reject;<br>
}<br>
accept;<br>
} else {<br>
if (roa_check() = ROA_INVALID) then<br>
{<br>
reject;<br>
}<br>
accept;<br>
}<br>
<br>
(Assuming ignore_max_lenght has default value == False.)<br>
<br>
Does it make sense?<br>
<div><br>
</div>
<div>Thanks</div>
<div><br>
</div>
<div>Pier Carlo Chiodi</div>
</div>
</blockquote>
</div>
<br clear="all">
<div><br>
</div>
-- <br>
<div dir="ltr">
<div dir="ltr">Douglas Fernando Fischer<br>
Engº de Controle e Automação<br>
</div>
</div>
</blockquote>
<br>
</body>
</html>