Hello,
first, thanks to the devs for 2.0.8!
I see the option 'ignore max length' was introduced, and
that it's possible to enable it at protocol configuration
time.
ignore max length switch
Ignore received max length in ROA records and use max
value (32 or 128) instead. This may be useful for
implementing loose RPKI check for blackholes. Default:
disabled.
I was wondering what other people's feelings would be about
having a similar option available at validation time, more
specifically as an argument of roa_check.
If my understanding is correct, being the current option
available only at protocol level, it means that all the ROAs
that are present inside the ROA table are used as if the
maxLength attribute is not set. This means that it wouldn't
be possible to configure a filter to perform a strict OV
check (where the maxLength is also taken into account) using
ROAs from that table.
Having that option available at roa_check time, the same
table could be used to perform both strict validation and
also a loose validation, for example depending on the
presence of the BLACKHOLE BGP community:
(pseudo-code follows)
# ... regular sanity checks done here...
if BLACKHOLE {
if (roa_check(ignore_max_lenght=True) = ROA_INVALID)
then
{
reject;
}
accept;
} else {
if (roa_check() = ROA_INVALID) then
{
reject;
}
accept;
}
(Assuming ignore_max_lenght has default value == False.)
Does it make sense?
Thanks
Pier Carlo Chiodi