nanog mailing list archives
Re: maximum ipv4 bgp prefix length of /24 ?
From: Willy Manga <mangawilly () gmail com>
Date: Wed, 11 Oct 2023 09:44:46 +0400
> On 11/10/2023 03:52, Delong.com wrote:
On Oct 10, 2023, at 13:36, Matthew Petach <mpetach () netflight com> wrote: [...] Owen, RPKI only addresses accidental hijackings. It does not help prevent intentional hijackings.OK, but at least they can help limit the extent of required desegregation in combat unless I misunderstand the whole MAXPREFIXLEN option.
Actually, RFC 9319 do recommend to "avoid using the maxLength attribute in ROAs except in some specific cases". But I recognise that this RFC is not yet implemented everywhere.
RPKI only asserts that a specific ASN must originate a prefix. It does nothing to validate the authenticity of the origination.Nope… It ALSO asserts (or can assert) an attribute of “Maximum allowed prefix length”. E.g. if I have a ROA for AS65500 to originate 2001:db8::/32 with a “Maximum Length” attribute of /36, then any advertisement (even originated by 65500) that is longer than /36 should be considered invalid.
Yes, but in that scenario any advertisements between /32 and /36 from that prefix originated by AS65500 are *valid* . That's why "ROAs should be as precise as possible, meaning they should match prefixes as announced in BGP" [1]
1. https://rpki.readthedocs.io/en/latest/rpki/securing-bgp.html#maximum-prefix-length
-- Willy Manga @ongolaboy https://ongola.blogspot.com/
Attachment:
OpenPGP_signature.asc
Description: OpenPGP digital signature
Current thread:
- Re: maximum ipv4 bgp prefix length of /24 ?, (continued)
- Re: maximum ipv4 bgp prefix length of /24 ? scott via NANOG (Oct 12)
- Re: maximum ipv4 bgp prefix length of /24 ? borg (Oct 11)
- Re: maximum ipv4 bgp prefix length of /24 ? Geoff Huston (Oct 09)
- Re: maximum ipv4 bgp prefix length of /24 ? Delong.com via NANOG (Oct 10)
- Re: maximum ipv4 bgp prefix length of /24 ? Willy Manga (Oct 07)
- Re: maximum ipv4 bgp prefix length of /24 ? Mark Tinka (Oct 07)
- Re: maximum ipv4 bgp prefix length of /24 ? Matthew Petach (Oct 07)
- Re: maximum ipv4 bgp prefix length of /24 ? Delong.com via NANOG (Oct 10)
- Re: maximum ipv4 bgp prefix length of /24 ? Matthew Petach (Oct 10)
- Re: maximum ipv4 bgp prefix length of /24 ? Delong.com via NANOG (Oct 10)
- Re: maximum ipv4 bgp prefix length of /24 ? Willy Manga (Oct 10)
- Re: maximum ipv4 bgp prefix length of /24 ? Delong.com via NANOG (Oct 11)
- Re: maximum ipv4 bgp prefix length of /24 ? Willy Manga (Oct 11)
- Re: maximum ipv4 bgp prefix length of /24 ? Delong.com via NANOG (Oct 11)
- Re: maximum ipv4 bgp prefix length of /24 ? Dale W. Carder (Oct 11)
- Re: maximum ipv4 bgp prefix length of /24 ? Delong.com via NANOG (Oct 11)
- Re: maximum ipv4 bgp prefix length of /24 ? Dale W. Carder (Oct 12)
- Re: maximum ipv4 bgp prefix length of /24 ? Willy Manga (Oct 11)
- Re: maximum ipv4 bgp prefix length of /24 ? Owen DeLong via NANOG (Oct 11)
- Re: maximum ipv4 bgp prefix length of /24 ? Willy Manga (Oct 12)
- Re: maximum ipv4 bgp prefix length of /24 ? Owen DeLong via NANOG (Oct 12)