Hi Andrew Here are some general numbers. It is quite complicated given it has multiple layers of complexity with our programmable HSM (size of the digits at each octet/nibble, v4/v6 addresses, inclusion of max length, cms wrapping, etc) that factor in to the size of a maximum signing request that the HSM will allow. We ran some empirical tests like you to come up with some numbers. Here they are and note that are not dependent on the size of the digits:
ROA request with 2K v4 prefixes without max length per prefix (just barely made the cut). ROA request with 1K v6 prefixes with max length per prefix (had some room to spare). Thanks, Mark On 8/20/18, 5:36 PM, "Mark Kosters" <[email protected]> wrote: >Hi Andrew > >There is a limit and it based on the interface with our HSM. We are >trying to figure out #'s and will have an answer for you soon. > >Thanks, >Mark > >On 8/17/18, 4:49 PM, "arin-tech-discuss on behalf of Andrew Gallo" ><[email protected] on behalf of [email protected]> wrote: > > Greetings: > > A discussion has come up in the R&E community about the maximum >number > of prefixes one can include in a ROA request in the hosted >environment. > Using the feature of pasting in a manually signed ROA, I've been able >to > request about 4k prefixes in a single ROA. Seeing that work, I got > greedy and request 65k. That didn't work. (this was all done in the >OT&E) > > Is there a limit to the number of prefixes that can be included in a >ROA > request? I can't find anything in an RFC that specifies a max >number; > if that's the case, is there a practical number? > > > Here's the background of the query- > > Let's say you have a large summary prefix, say a /16. You've >subscribed > to a DDoS scrubbing service that can, on demand, originate any >arbitrary > /24 of your space under a different ASN. You would need to create a >ROA > that covers the /24s for the DDoS mitigation ASN. In this case, >that's > 256 prefixes, so that's manageable. How about individual /64s out of >a > /44, or much worse, a /32. > > I imagine this was exactly the concept behind the max length field >that > is now considered harmful. > > It's an interesting discussion for the operational community, but the > immediate question is, what is the capacity of ARIN's hosted service? > > > Thank you. > _______________________________________________ > arin-tech-discuss mailing list > [email protected] > https://lists.arin.net/mailman/listinfo/arin-tech-discuss > > _______________________________________________ arin-tech-discuss mailing list [email protected] https://lists.arin.net/mailman/listinfo/arin-tech-discuss
