[db-wg] Route(6) objects

Hello

I have never said that I want 100% of the world to accept my ipv6 /48 prefixes.
I am sorry if I haven't been clear enough. But again I will try to explain my situation.
I am about 10% certain that ASs that filter their BGP table according to IRR info would accept the /48 prefixes that have /32 route6 object(In good conscience and bearing in mind BGP security risks I wouldn't accept these prefixes).
But I would be 90% certain that with /48 route6 object the /48 prefixes get accepted.
Do you see the difference here? 
I am talking about if some AS-s filter their bgp table according to IRR info, then how does plain /32 route6 object cover all the /48s within that /32 prefix? 
If theoretically it would be possible then I would just configure "::/0 AS1234" and that would cover everything right?
As I am trying to explain then correct records in my opinion greatly increases the odds of my prefix being accepted world wide.

Maybe they can, maybe they can't advertise /33, /34 etc...
I would like the provider to hijack most specific prefix in order to avoid the unnecessary redirection of other customers traffic that fit into that /33 or /34 etc.

But no need to further discuss this subject. I will just use /32 route6 object for all the /48 that fit that /32.




Lugupidamisega / Best regards, 

Kaupo Ehtnurm 


Network & System administrator 
WaveCom AS 
ISO 9001 & 27001 Certified DC and verified VMware Cloud 
kaupo at wavecom.ee | +372 5685 0002 
Endla 16, Tallinn 10142 Estonia | [ http://www.wavecom.ee/ | www.wavecom.ee ]

----- Original Message -----
From: "Cynthia Revström" <me at cynthia.re>
To: "Kaupo Ehtnurm" <kaupo at wavecom.ee>
Cc: "DB-WG" <db-wg at ripe.net>
Sent: Monday, July 10, 2023 3:36:42 PM
Subject: Re: [db-wg] Route(6) objects

Look, you can never be certain that 100% of networks are going to
accept your prefixes but for DDoS that shouldn't matter as others have
pointed out.
What I can say is please don't create 65536 route6 objects or
otherwise I feel like we are going to have to start discussion about a
policy to prevent people doing that.

Also why do you need them to be advertised as /48s?
If you just need them to be more specific than a /32 couldn't you just
do /33s, /34s, /35s, /36s, or something like that?

-Cynthia

On Mon, Jul 10, 2023 at 2:13 PM Kaupo Ehtnurm via db-wg <db-wg at ripe.net> wrote:
>
> Hello
>
> Thank you very much for the explanation.
> But I think we have steered away a little bit from my original question.
>
> As I can conclude from all the answers earlier, then still my only option if I want my ip transit provider to be able to advertise some /48 within my /32 at random times and for random durations is using /32 as route6 object and hope that everyone in the internet filters "2001:1234::/32 le 48 permit" or "2001:1234::/32 eq 48 permit" instead of "2001:1234::/32 permit"?
> Or actually make the 65536 route6 objects (for each of the /48 that fits into that /32)?
> Or is there a third possibility instead hoping that AS-s from all over the internet are familiar with this kind of issue and allow /48 prefixes into their routers instead of exact /32 prefix (although the route6 object states that our provider should advertise only /32) or making unnecessary amount(65536 objects for 1x/32) of route6 objects?
>
> I ultimatelly want my ip transit provider to be able to advertise different /48 prefixes at random times for random durations. And want it to pass IRR filtering also, not just rpki filtering in different ASs across the globe.
>
>
> Lugupidamisega / Best regards,
>
> Kaupo Ehtnurm
>
>
> Network & System administrator
> WaveCom AS
> ISO 9001 & 27001 Certified DC and verified VMware Cloud
> kaupo at wavecom.ee | +372 5685 0002
> Endla 16, Tallinn 10142 Estonia | [ http://www.wavecom.ee/ | www.wavecom.ee ]
>
> ----- Original Message -----
> From: "Job Snijders" <job at sobornost.net>
> To: "Kaupo Ehtnurm" <kaupo at wavecom.ee>
> Cc: "Nick Hilliard" <nick at foobar.org>, "Kaupo Ehtnurm via db-wg" <db-wg at ripe.net>
> Sent: Monday, July 10, 2023 2:18:57 PM
> Subject: Re: [db-wg] Route(6) objects
>
> Dear Kaupo, others,
>
> (Speaking as individual working group contributor.)
>
> On Mon, Jul 10, 2023 at 10:06:30AM +0300, Kaupo Ehtnurm via db-wg wrote:
> > Since route6 object is a must and ROA is a should and they ultimately
> > fill the same purpose, than why isn't there a "max length" in route6
> > object?
>
> That's a good question!
>
> The specification of IRR 'route6:' objects pre-dates the specification
> of RPKI ROAs by a number of years. One explanation might be that the
> designers of RPSL-NG simply didn't think of it.
>
> Another aspect is that RPKI ROAs are used as an input into the RFC 6811
> Origin Validation procedure (which yields invalid/valid/not-found as
> outcomes), but no such algorithm existed when RPSL-NG route/route6
> objects were defined. I can see how RPKI ROAs and RPSL-NG route/route6
> objects look kind of similar from a high level, but the devil is in the
> details: they do fulfill slightly different purposes.
>
> It's important to note that in recent years new insights arose how to
> make the best use of RPKI ROAs: last year's BCP 185 / RFC 9319
> recommends to avoid using the maxLength attribute in RPKI ROAs.
>
> Porting 'maxLength' functionality to RPSL-NG route/route6 objects would
> represent a significant community effort: people would need to write an
> Internet-Draft to specify what the field really means, and lots of
> software toolchains would need updating. Given that maxLength in RPKI
> ROAs was not universially perceived as a good idea, I'm not very
> optimistic that porting such functionality to the 'legacy' IRR system is
> worth the effort.
>
> Kind regards,
>
> Job
>
> --
>
> To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit: https://mailman.ripe.net/