ignore max length as an argument of roa_check

Douglas Fischer fischerdouglas at gmail.com
Tue Mar 30 15:04:08 CEST 2021


It does make sense! A LOT!

It is the only way I see that is possible to use RPKI as a source of
information to validate RTBH with the available information existent now.

P.S.: I even mentioned some about that on SIDROPS
https://mailarchive.ietf.org/arch/msg/sidrops/vbfKT9yduwAtTNQVBoc5KCRPkmM/

That is the same concept that is used on IRR, right?
"If is BlackHole route is contained on the Route Objects on IRR, is
acceptable..."

Em dom., 28 de mar. de 2021 às 10:42, Pier Carlo Chiodi <pierky at pierky.com>
escreveu:

> Hello,
>
> first, thanks to the devs for 2.0.8!
>
> I see the option 'ignore max length' was introduced, and that it's
> possible to enable it at protocol configuration time.
>
> ignore max length switch
>
>     Ignore received max length in ROA records and use max value (32 or
> 128) instead. This may be useful for implementing loose RPKI check for
> blackholes. Default: disabled.
>
> I was wondering what other people's feelings would be about having a
> similar option available at validation time, more specifically as an
> argument of roa_check.
>
> If my understanding is correct, being the current option available only at
> protocol level, it means that all the ROAs that are present inside the ROA
> table are used as if the maxLength attribute is not set. This means that it
> wouldn't be possible to configure a filter to perform a strict OV check
> (where the maxLength is also taken into account) using ROAs from that table.
>
> Having that option available at roa_check time, the same table could be
> used to perform both strict validation and also a loose validation, for
> example depending on the presence of the BLACKHOLE BGP community:
>
> (pseudo-code follows)
>
> # ... regular sanity checks done here...
>
> if BLACKHOLE {
>     if (roa_check(ignore_max_lenght=True) = ROA_INVALID) then
>     {
>         reject;
>     }
>     accept;
> } else {
>     if (roa_check() = ROA_INVALID) then
>     {
>         reject;
>     }
>     accept;
> }
>
> (Assuming ignore_max_lenght has default value == False.)
>
> Does it make sense?
>
> Thanks
>
> Pier Carlo Chiodi
>


-- 
Douglas Fernando Fischer
Engº de Controle e Automação
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://trubka.network.cz/pipermail/bird-users/attachments/20210330/0dd26fc1/attachment.htm>


More information about the Bird-users mailing list