It's good to know details of ARIN's HSM, so thanks for providing that information, Mark. But with respect to what motivated the original question:
"... the max length field [...] is now considered harmful" That refers to this internet-draft: https://tools.ietf.org/html/draft-ietf-sidrops-rpkimaxlen-00 The issue related to 3rd-party DDoS scrubbing services that Andrew mentioned is discussed in the draft. It's also worth noting that pre-publishing many ROAs for not-normally-announced prefixes in the way Andrew was asking about creates the same exposure as would be caused by [mis]using max length. Thanks. Jay B. On 23-Aug-2018, Andrew Gallo writes: > This is helpful. > > Thank you. > > > > On 8/22/2018 9:28 PM, Mark Kosters wrote: > > Hi Andrew > > > > Here are some general numbers. It is quite complicated given it has > > multiple layers of complexity with our programmable HSM (size of the > > digits at each octet/nibble, v4/v6 addresses, inclusion of max length, cms > > wrapping, etc) that factor in to the size of a maximum signing request > > that the HSM will allow. We ran some empirical tests like you to come up > > with some numbers. Here they are and note that are not dependent on the > > size of the digits: > > > > ROA request with 2K v4 prefixes without max length per prefix (just barely > > made the cut). > > ROA request with 1K v6 prefixes with max length per prefix (had some room > > to spare). > > > > Thanks, > > Mark > > > > > > On 8/20/18, 5:36 PM, "Mark Kosters" <[email protected]> wrote: > > > >> Hi Andrew > >> > >> There is a limit and it based on the interface with our HSM. We are > >> trying to figure out #'s and will have an answer for you soon. > >> > >> Thanks, > >> Mark > >> > >> On 8/17/18, 4:49 PM, "arin-tech-discuss on behalf of Andrew Gallo" > >> <[email protected] on behalf of [email protected]> wrote: > >> > >> Greetings: > >> > >> A discussion has come up in the R&E community about the maximum > >> number > >> of prefixes one can include in a ROA request in the hosted > >> environment. > >> Using the feature of pasting in a manually signed ROA, I've been able > >> to > >> request about 4k prefixes in a single ROA. Seeing that work, I got > >> greedy and request 65k. That didn't work. (this was all done in the > >> OT&E) > >> > >> Is there a limit to the number of prefixes that can be included in a > >> ROA > >> request? I can't find anything in an RFC that specifies a max > >> number; > >> if that's the case, is there a practical number? > >> > >> > >> Here's the background of the query- > >> > >> Let's say you have a large summary prefix, say a /16. You've > >> subscribed > >> to a DDoS scrubbing service that can, on demand, originate any > >> arbitrary > >> /24 of your space under a different ASN. You would need to create a > >> ROA > >> that covers the /24s for the DDoS mitigation ASN. In this case, > >> that's > >> 256 prefixes, so that's manageable. How about individual /64s out of > >> a > >> /44, or much worse, a /32. > >> > >> I imagine this was exactly the concept behind the max length field > >> that > >> is now considered harmful. > >> > >> It's an interesting discussion for the operational community, but the > >> immediate question is, what is the capacity of ARIN's hosted service? > >> > >> > >> Thank you. > >> _______________________________________________ > >> arin-tech-discuss mailing list > >> [email protected] > >> https://lists.arin.net/mailman/listinfo/arin-tech-discuss > >> > >> > > > > > _______________________________________________ > arin-tech-discuss mailing list > [email protected] > https://lists.arin.net/mailman/listinfo/arin-tech-discuss _______________________________________________ arin-tech-discuss mailing list [email protected] https://lists.arin.net/mailman/listinfo/arin-tech-discuss
