In the ARIN web UI, it looks like a ROA can have multiple prefixes. For an end network such as myself (Wiktel hat on), what is the best practice... one ROA per prefix, or list multiple prefixes in the same ROA? With my MICE hat on, should MICE publish a ROA for the peering network space? The theoretical advantage would be some amount of hijacking protection. Though since it's not supposed to be announced, it probably doesn't matter much either way? As far as I can see, there's no explicit way to say "do not announce" in a ROA. But listing something with an origin AS of "0" seems to be a thing that is done for at least one deliberately invalid ROA (CloudFlare's 103.21.244.0/23). So, if I were to create a ROA for MICE, would that be an Origin AS of 53679 or 0? -- Richard
RFC6482 doesn't explicitly specify whether to have one ROA per prefix or vice versa. In a delegated setup, Krill aggregates ROAs whenever possible, so it's left up to your preference. https://console.rpki.co/rpki.co/repo/AS945/1/AS50058.roa.html When it comes to MICE, it's recommended to publish a ROA covering the peering LAN. This not only secures against prefix hijacking but also prevents any accidental leaking, which has happened to NL-IX for example. Per RFC6907, an AS 0 ROA serves as an attestation by a prefix holder that the prefix described in the ROA, along with any more specific prefixes, should not be used in a routing context. AS0 is better in that one can simply prepend AS53679 to deliberately hijack the prefix, which could be prevented by ASPA but that's another story, and A BGP speaker MUST NOT originate or propagate a route with an AS number of zero (RFC7606).
From: nlixannounce@simplelists.com <nlixannounce@simplelists.com> on behalf of NL-ix Support <support@nl-ix.net> Sent: Tuesday, February 22, 2022, 3:48 AM To: Support-NLix <support@nl-ix.net> Subject: [NL-ix Announce] Recent incidents in peering VLAN
Dear members,
We have recently experienced some unfortunate events on our peering VLAN due to the announcement of a more-specific prefix that is part of our /22 subnet. One of our members accidentally announced 193.239.117.0/24 to one of their upstreams, propagating this prefix to the rest of the internet. Although one would expect this prefix to be dropped early on due to IRR validation failing, it was instead widely propagated.
On 2023-06-14 2:14 a.m., Richard Laager wrote:
In the ARIN web UI, it looks like a ROA can have multiple prefixes. For an end network such as myself (Wiktel hat on), what is the best practice... one ROA per prefix, or list multiple prefixes in the same ROA?
With my MICE hat on, should MICE publish a ROA for the peering network space? The theoretical advantage would be some amount of hijacking protection. Though since it's not supposed to be announced, it probably doesn't matter much either way?
As far as I can see, there's no explicit way to say "do not announce" in a ROA. But listing something with an origin AS of "0" seems to be a thing that is done for at least one deliberately invalid ROA (CloudFlare's 103.21.244.0/23). So, if I were to create a ROA for MICE, would that be an Origin AS of 53679 or 0?
-- Best regards August Yang
On Wed, Jun 14, 2023 at 01:14 Richard Laager <rlaager@wiktel.com> wrote:
As far as I can see, there's no explicit way to say "do not announce" in a ROA. But listing something with an origin AS of "0" seems to be a thing that is done for at least one deliberately invalid ROA (CloudFlare's 103.21.244.0/23). So, if I were to create a ROA for MICE, would that be an Origin AS of 53679 or 0?
An AS 0 ROA is an explicit statement that a prefix is not to be routed, see section 4 of RFC 6483; https://datatracker.ietf.org/doc/html/rfc6483#section-4 To the question, should we issue an AS 0 ROA for the MICE prefix? Well, there isn’t a strong consensus on that within IX Community. See the following APNIC Blog post; https://blog.apnic.net/2023/03/24/rpki-roa-for-ip-resources-in-the-ix-segmen... So I think we should hold off publishing one just yet, but I suspect we will eventually want to publish an AS 0 ROA for the MICE prefix. Thanks
-- =============================================== David Farmer Email:farmer@umn.edu Networking & Telecommunication Services Office of Information Technology University of Minnesota 2218 University Ave SE Phone: 612-626-0815 Minneapolis, MN 55414-3029 Cell: 612-812-9952 ===============================================
On 2023-06-14 02:46, David Farmer wrote:
I think we should hold off publishing one just yet
Do you have a particular reason for thinking we should hold off? Is there something you're worried about breaking? While I take your point that not everyone is doing it, that APNIC blog post definitely shows that some places /are/ doing it. -- Richard
On Wed, Jun 14, 2023 at 15:01 Richard Laager <rlaager@wiktel.com> wrote:
On 2023-06-14 02:46, David Farmer wrote:
I think we should hold off publishing one just yet
Do you have a particular reason for thinking we should hold off? Is there something you're worried about breaking?
While I take your point that not everyone is doing it, that APNIC blog post definitely shows that some places *are* doing it.
I think I’m just being cautious. I’d feel much better with a published BCP recommending how IXes should publish ROAs or at least a discussion of the pro and cons. I’ll note a conflict between what the APNIC Blog and RFC 6483 say about the proper maxlength for an AS 0 ROA. It’s nagging little details like that, that make me want to be cautious. I think if you publish a ROA with the assigned ASN then you want the maxlength to be the assigned length, but for an AS 0 ROA you want a maxlength of 32 for IPv4 and 128 for IPv6 like RFC 6483 says. However, the idea that some IXes publish both an AS 0 and one for the assigned ASN, makes me wonder, and want to be even more curious. Thanks -- =============================================== David Farmer Email:farmer@umn.edu Networking & Telecommunication Services Office of Information Technology University of Minnesota 2218 University Ave SE Phone: 612-626-0815 Minneapolis, MN 55414-3029 Cell: 612-812-9952 ===============================================
I intend to publish the following ROAs on MICE's behalf to indicate that the peering LAN is not to appear in the Internet routing table: On Monday (June 19) around 10:00 AM: 2001:504:27::/48 AS0 maxLength 128 On Wednesday (June 21) around 10:00 AM: 206.108.255.0/24 AS0 maxLength 32 The reason for the maxLength is: "By convention, an AS 0 ROA should have a maxLength value of 32 for IPv4 addresses and a maxlength value of 128 for IPv6 addresses" -- RFC 6483, section 4. This should only be an issue for someone if they are advertising the MICE peering subnet in their iBGP (which we discourage) and are doing RPKI validation of that iBGP (which seems unlikely). If you think this will be a problem for you, let me know. -- Richard
On 6/14/23 01:14, Richard Laager wrote:
In the ARIN web UI, it looks like a ROA can have multiple prefixes. For an end network such as myself (Wiktel hat on), what is the best practice... one ROA per prefix, or list multiple prefixes in the same ROA?
As August noted it's an exercise of the user. One note on this - you may not MODIFY an ROA (from what I can tell), so if you publish a single ROA with multiple prefixes and need to change something, you have to delete and recreate the entire thing. We've been doing 1:1 ROA:Prefix for this reason (for now, and we're not fully covered) Related to this, is there intent to join the IXP section of MANRS once we're in good shape with some of this IRR filtering? I believe that would be the final 'Action' (action 1). https://www.manrs.org/ixps/actions/ https://www.manrs.org/ixps/participants/ -- Chris Wopat Network Engineer, WiscNet wopat@wiscnet.net 608-210-3965
participants (5)
-
August Yang
-
Chris Wopat
-
David Farmer
-
Jay Hanke
-
Richard Laager