This is helpful.
Thank you.
On 8/22/2018 9:28 PM, Mark Kosters wrote:
Hi Andrew
Here are some general numbers. It is quite complicated given it has
multiple layers of complexity with our programmable HSM (size of the
digits at each octet/nibble, v4/v6 addresses, inclusion of max length, cms
wrapping, etc) that factor in to the size of a maximum signing request
that the HSM will allow. We ran some empirical tests like you to come up
with some numbers. Here they are and note that are not dependent on the
size of the digits:
ROA request with 2K v4 prefixes without max length per prefix (just barely
made the cut).
ROA request with 1K v6 prefixes with max length per prefix (had some room
to spare).
Thanks,
Mark
On 8/20/18, 5:36 PM, "Mark Kosters" <[email protected]> wrote:
Hi Andrew
There is a limit and it based on the interface with our HSM. We are
trying to figure out #'s and will have an answer for you soon.
Thanks,
Mark
On 8/17/18, 4:49 PM, "arin-tech-discuss on behalf of Andrew Gallo"
<[email protected] on behalf of [email protected]> wrote:
Greetings:
A discussion has come up in the R&E community about the maximum
number
of prefixes one can include in a ROA request in the hosted
environment.
Using the feature of pasting in a manually signed ROA, I've been able
to
request about 4k prefixes in a single ROA. Seeing that work, I got
greedy and request 65k. That didn't work. (this was all done in the
OT&E)
Is there a limit to the number of prefixes that can be included in a
ROA
request? I can't find anything in an RFC that specifies a max
number;
if that's the case, is there a practical number?
Here's the background of the query-
Let's say you have a large summary prefix, say a /16. You've
subscribed
to a DDoS scrubbing service that can, on demand, originate any
arbitrary
/24 of your space under a different ASN. You would need to create a
ROA
that covers the /24s for the DDoS mitigation ASN. In this case,
that's
256 prefixes, so that's manageable. How about individual /64s out of
a
/44, or much worse, a /32.
I imagine this was exactly the concept behind the max length field
that
is now considered harmful.
It's an interesting discussion for the operational community, but the
immediate question is, what is the capacity of ARIN's hosted service?
Thank you.
_______________________________________________
arin-tech-discuss mailing list
[email protected]
https://lists.arin.net/mailman/listinfo/arin-tech-discuss
_______________________________________________
arin-tech-discuss mailing list
[email protected]
https://lists.arin.net/mailman/listinfo/arin-tech-discuss
