ignore max length as an argument of roa_check
Pier Carlo Chiodi
pierky at pierky.com
Sun Mar 28 15:41:09 CEST 2021
Hello,
first, thanks to the devs for 2.0.8!
I see the option 'ignore max length' was introduced, and that it's possible
to enable it at protocol configuration time.
ignore max length switch
Ignore received max length in ROA records and use max value (32 or 128)
instead. This may be useful for implementing loose RPKI check for
blackholes. Default: disabled.
I was wondering what other people's feelings would be about having a
similar option available at validation time, more specifically as an
argument of roa_check.
If my understanding is correct, being the current option available only at
protocol level, it means that all the ROAs that are present inside the ROA
table are used as if the maxLength attribute is not set. This means that it
wouldn't be possible to configure a filter to perform a strict OV check
(where the maxLength is also taken into account) using ROAs from that table.
Having that option available at roa_check time, the same table could be
used to perform both strict validation and also a loose validation, for
example depending on the presence of the BLACKHOLE BGP community:
(pseudo-code follows)
# ... regular sanity checks done here...
if BLACKHOLE {
if (roa_check(ignore_max_lenght=True) = ROA_INVALID) then
{
reject;
}
accept;
} else {
if (roa_check() = ROA_INVALID) then
{
reject;
}
accept;
}
(Assuming ignore_max_lenght has default value == False.)
Does it make sense?
Thanks
Pier Carlo Chiodi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://trubka.network.cz/pipermail/bird-users/attachments/20210328/60e4c638/attachment.htm>
More information about the Bird-users
mailing list