This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/routing-wg@ripe.net/
[routing-wg] looking for online RPKI dashboard / looking glass?
- Previous message (by thread): [routing-wg] looking for online RPKI dashboard / looking glass?
- Next message (by thread): [routing-wg] looking for online RPKI dashboard / looking glass?
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Gert Doering
gert at space.net
Wed May 2 20:20:22 CEST 2018
Hi, On Wed, May 02, 2018 at 06:11:23PM +0000, Job Snijders wrote: > On Wed, May 02, 2018 at 08:07:16PM +0200, Gert Doering wrote: > > The information I was looking for is nicely visible, though... and > > what I was afraid I'd see... too much "N". The only "I" is something > > I was aware but had forgotten about ;-) - a sink-a-more-specific-/24 > > test that nicely exposes the problem of "strict /22" ROAs. > > "problem" - just create a separate additional ROA for the /24! I should have worded this as "the issue you run into if you create a single ROA with a fixed length *and* then decide to announce something else" - and indeed, since MaxLength opens room for spoofed-source-with-more-specific hijacks, this is why we set up our ROAs strictly. > I recommend to make separate ROAs for everything you announce in BGP. > The use of MaxLength is easily abused. See this Internet-Draft for more > considerations: > > https://tools.ietf.org/html/draft-ietf-sidrops-rpkimaxlen How would you recommend handling the case "normally I only announce a /16, but in case one of our customers i DDoSed, I want to announce the affected IP address as part of their /24 out of upstream-that-does-regional-blackholing"? If I create the /24 ROAs up front, I'm back in square one ("while I am not announcing the /24, someone else could hijack with a faked origin AS"). If I do not create the /24 ROAs up front, I have propagation delays (and might not be able to reach the RIPE RPKI tool at all while the DDoS goes on). *scratch head* Gert Doering -- NetMaster -- have you enabled IPv6 on something today...? SpaceNet AG Vorstand: Sebastian v. Bomhard, Michael Emmer Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: not available URL: </ripe/mail/archives/routing-wg/attachments/20180502/16e246f2/attachment.sig>
- Previous message (by thread): [routing-wg] looking for online RPKI dashboard / looking glass?
- Next message (by thread): [routing-wg] looking for online RPKI dashboard / looking glass?
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]